• Advisory ID: DRUPAL-SA-2008-016
  • Project: OpenID (third-party module)
  • Version: 5.x-1.0
  • Date: 2008-January-30
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Identity impersonation

Description

The OpenID module has a vulnerability which allows OpenID version 2.0 positive assertions that are not properly verified to return an invalid or impersonated claimed_id. To exploit this vulnerability an attacker could set up an OpenID provider, example1.com, that claimed to be the authority for another domain, example2.com, when in fact it was not. Thus, example2.com OpenID's could be impersonated.

In OpenID 2.0, the OpenID provider may return a claimed_id that is different from the original claimed_id submitted by the user (and hence in the current session). If this is the case, then discovery must be performed on that claimed_id to ensure that the correct OpenID provider endpoint was used.

For more information, see http://openid.net/specs/openid-authentication-2_0.html#verify_disco .

Versions affected

OpenID (openid) versions:

  • 5.x-1.0 and earlier

Drupal core is not affected. If you do not use the contributed OpenID module, there is nothing you need to do.

Solution

Install the latest version:

See also the OpenID project page.

Reported by

Johnny Bufu.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.