50 lines
No EOL
1.4 KiB
Text
50 lines
No EOL
1.4 KiB
Text
https://github.com/paranoid/mod_auth_openid/blob/master/CVE-2012-2760.markdown
|
|
|
|
|
|
# Security Advisory 1201
|
|
Summary : Session stealing
|
|
Date : May 2012
|
|
Affected versions : all versions prior to mod_auth_openid-0.7
|
|
ID : mod_auth_openid-1201
|
|
CVE reference : CVE-2012-2760
|
|
|
|
# Details
|
|
Session ids are stored insecurely in /tmp/mod_auth_openid.db (default
|
|
filename). The db is world readable and the session ids are stored
|
|
unencrypted.
|
|
|
|
# Impact
|
|
If a user has access to the filesystem on the mod_auth_openid server,
|
|
they can steal all of the current openid authenticated sessions
|
|
|
|
# Workarounds
|
|
A quick improvement of the situation is to chmod 0400 the DB file.
|
|
Default location is /tmp/mod_auth_openid.db unless another location
|
|
has been configured in AuthOpenIDDBLocation.
|
|
|
|
# Solution
|
|
Upgrade to mod_auth_openid-0.7 or later:
|
|
http://findingscience.com/mod_auth_openid/releases
|
|
|
|
# Credits
|
|
This vulnerability was reported by Peter Ellehauge, ptr at groupon dot
|
|
com. Fixed by Brian Muller bmuller at gmail dot com
|
|
|
|
# References
|
|
mod_auth_openid project: http://findingscience.com/mod_auth_openid/
|
|
|
|
# History
|
|
15 May 2012
|
|
Discovered the vulnerability. Created private patch.
|
|
|
|
16 May 2012
|
|
Notified maintainer.
|
|
Obtained CVE-id
|
|
|
|
22 May 2012
|
|
Fixed by Brian Muller (bmuller at gmail dot com) in
|
|
mod_auth_openid-0.7 -
|
|
https://github.com/bmuller/mod_auth_openid/blob/master/ChangeLog
|
|
|
|
--
|
|
ptr |