Closed (fixed)
Project:
Gigya - Social Infrastructure
Version:
6.x-1.0-beta7
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
20 Nov 2009 at 16:52 UTC
Updated:
17 Dec 2009 at 21:30 UTC
A person's Gigya UID isn't intended to be secret information; it should be useless if you don't know a site's secret Gigya key. This module, however, allows you to log in as a Drupal user if you know only their Gigya UID. (You can not authenticate as that user's Gigya identity but you WILL get logged in as the Drupal user). This only pertains to users that use social provider for their authentication; it does not work for users that use Drupal for authentication.
I've attached a basic patch to remedy the issue.
| Comment | File | Size | Author |
|---|---|---|---|
| gigya.patch | 677 bytes | azinck |
Comments
Comment #1
Gigya commentedazinck,
Thank you for bringing this to our attenation, we will work on adding the fix to our beta9 release, which should be available in a few weeks.
Itamar
Comment #2
azinck commentedThis is now a much more urgent issue since you're using the user's drupal user ID as their Gigya ID! You can easily log in as the super user (UID = 1) on any site with this module installed!
No one should use this module in its current state.
Comment #3
Gigya commentedThanks for giving us the heads-up on this. we are working on fixing it now and will release and updated version without this security vulnerability asap.
Comment #4
Gigya commentedFixed in beta9.
Comment #5
Gigya commentedFixed in beta9
Thanks a lot !!!