security flaw?
| Project: | OpenID |
| Version: | 4.7.x-2.x-dev |
| Component: | OpenID Client |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | by design |
Jump to:
apparently, there is some sort of security flaw in the module. i got hit with the following:
205.234.106.105 - - [03/Feb/2007:20:48:34 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
67.15.217.19 - - [03/Feb/2007:20:48:34 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
205.234.106.105 - - [03/Feb/2007:20:48:35 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
205.234.106.105 - - [03/Feb/2007:20:48:35 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
205.234.106.105 - - [03/Feb/2007:20:48:35 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
62.212.81.166 - - [03/Feb/2007:20:48:35 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
62.212.81.166 - - [03/Feb/2007:20:48:35 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
205.234.106.105 - - [03/Feb/2007:20:48:35 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
205.234.106.105 - - [03/Feb/2007:20:48:36 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
67.15.217.19 - - [03/Feb/2007:20:48:36 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
205.234.106.105 - - [03/Feb/2007:20:48:36 -0500] "POST /openid/xrds HTTP/1.0" 200 227 "-" "Opera/8.0"
i'm not sure what to make of these entries atm, but my host shut down my service until i disabled the openid module. let me know if you need any more details.
#1
Interesting. I had openid installed on my site, but nobody has used it yet. I'll go ahead and shut it down until this potential issue is looked at.
#2
Um... and what is the potential security issue here? You've shown access log entries for clients attempting to perform the YADIS discovery on your openid url. This is as per spec... I'm missing what the issue is here.
Perhaps point your host to http://openid.net/specs.bml
Marking this as by design.