[prev in list] [next in list] [prev in thread] [next in thread]
List: openid-security
Subject: Re: [security] Security issue with ruby-openid library
From: Chris <setenforce1 () gmail ! com>
Date: 2019-04-09 0:41:28
Message-ID: CADRwfSKcTBk+qYPsYK2wYNG_J4b7-kv6+yt1E43i+x5ztRjWhw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Nat, no response from either project maintainer for the ruby-openid
project. I am communicating privately with known affected developers, but
I suspect there are hundreds more that I haven't discovered through manual
research.
In my testing, I found a PHP open source library for OpenID named
"LightOpenID" that is also high-risk to SSRF attacks. This PHP library
appears to be quite popular as well in the community, and in my opinion, is
even riskier than ruby-openid. In addition to the SSRF weakness, I was
able to demonstrate auth bypass against one affected app by performing what
is known as a Malicious Endpoint Attack (an attacker spoof's an OpenID 2.0
Provider (OP), and uses the Blind SSRF to gain unauthorized access to other
app user accounts).
The developer of the LightOpenID library has a notice at the top of his
READE.md: NOTICE. I am no longer able to support or maintain this project -
if you would like to take over the project, please drop me a line.
I am communicating privately with known affected developers who use this
vulnerable OpenID library, but again, I suspect there are many many more
that I don't know about.
I'll keep in touch using this thread. If you need more information, or
want more detail over a protected channel, let me know.
Best Regards
-chris
On Sat, Mar 2, 2019 at 9:19 AM Chris <setenforce1@gmail.com> wrote:
> Thanks Nat, I reached out via email to who I believe is the project
> maintainer yesterday.
>
> Cheers,
>
> Chris
>
> On Fri, Mar 1, 2019, 11:27 PM n-sakimura <n-sakimura@nri.co.jp> wrote:
>
>> Chris,
>>
>> Thanks for reaching out. Sorry that I could not respond earlier.
>> I was flying from Tokyo to San Francisco.
>>
>> I will let the secretariat know about it so that they can act
>> accordingly.
>>
>> In the mean time, if you could use your own path to get in touch with th=
e
>> author of the gem, it would be great as well as it is over the weekend i=
n
>> the U.S.
>>
>> Additionally, I will Bering it up in the board meeting to make our
>> process more effective on these things.
>>
>> Best,
>>
>> Nat Sakimura
>> Chairmen of the board
>> OpenID Foundation
>>
>> ------------------------------
>> *=E5=B7=AE=E5=87=BA=E4=BA=BA:* security <openid-security-bounces@lists.o=
penid.net> (Chris <
>> setenforce1@gmail.com> =E3=81=AE=E4=BB=A3=E7=90=86)
>> *=E9=80=81=E4=BF=A1=E6=97=A5=E6=99=82:* =E6=B0=B4=E6=9B=9C=E6=97=A5, 2=
=E6=9C=88 27, 2019 9:09 =E5=8D=88=E5=89=8D
>> *=E5=AE=9B=E5=85=88:* openid-security@lists.openid.net
>> *=E4=BB=B6=E5=90=8D:* [security] Security issue with ruby-openid library
>>
>> openid-security mailing list:
>>
>> I have discovered a remotely exploitable weakness in the ruby-openid
>> library that Rails web applications use to integrate with OpenID
>> Providers. Severity can range from medium to critical, depending on how=
a
>> web application developer chose to implement the ruby-openid library.
>> Developers who based their OpenID integration heavily on the "example ap=
p"
>> provided by the project are at highest risk.
>>
>> I hesitate to provide too much detail publicly, as I would prefer to
>> responsibly report the details of this issue privately, to ensure that t=
he
>> OpenID community has time to confirm my findings, implement appropriate
>> code changes, and communicate effectively with affected developers.
>>
>> Can one of the main admins on the list please suggest a viable approach?
>> One of the primary maintainers of the ruby-openid project could contact =
me
>> directly (reply to this email?), or I could be provided with a short lis=
t
>> of maintainers to contact.
>>
>> Thank you
>> -
>> Chris
>>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Nat, no \
response from either project maintainer for the ruby-openid project. I am \
communicating privately with known affected developers, but I suspect there are \
hundreds more that I haven't discovered through manual research. \
<div><br></div><div>In my testing, I found a PHP open source library for OpenID named \
"LightOpenID" that is also high-risk to SSRF attacks. This PHP library \
appears to be quite popular as well in the community, and in my opinion, is even \
riskier than ruby-openid. In addition to the SSRF weakness, I was able to \
demonstrate auth bypass against one affected app by performing what is known as a \
Malicious Endpoint Attack (an attacker spoof's an OpenID 2.0 Provider (OP), and \
uses the Blind SSRF to gain unauthorized access to other app user \
accounts).</div><div><br></div><div>The developer of the LightOpenID library has a \
notice at the top of his READE.md: NOTICE. <span \
style="color:rgb(106,115,125);font-family:-apple-system,BlinkMacSystemFont,"Segoe \
UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI \
Emoji","Segoe UI Symbol"">I am no longer able to support or maintain \
this project - if you would like to take over the project, please drop me a \
line.</span></div><div><span \
style="color:rgb(106,115,125);font-family:-apple-system,BlinkMacSystemFont,"Segoe \
UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI \
Emoji","Segoe UI Symbol";font-size:16px"><br></span></div><div>I am \
communicating privately with known affected developers who use this vulnerable OpenID \
library, but again, I suspect there are many many more that I don't know \
about.<span style="color:rgb(106,115,125);font-family:-apple-system,BlinkMacSystemFont,"Segoe \
UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI \
Emoji","Segoe UI \
Symbol";font-size:16px"><br></span></div><div><br></div><div>I'll keep in \
touch using this thread. If you need more information, or want more detail over a \
protected channel, let me know.</div><div><br></div><div>Best \
Regards</div><div>-chris</div><div><br></div><div><br></div></div></div></div></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Mar 2, 2019 at 9:19 AM \
Chris <<a href="mailto:setenforce1@gmail.com">setenforce1@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div \
dir="auto"><div>Thanks Nat, I reached out via email to who I believe is the project \
maintainer yesterday.</div><div dir="auto"><br></div><div \
dir="auto">Cheers,</div><div dir="auto"><br></div><div dir="auto">Chris<br><br><div \
class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, Mar 1, 2019, \
11:27 PM n-sakimura <<a href="mailto:n-sakimura@nri.co.jp" \
target="_blank">n-sakimura@nri.co.jp</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div>
<div style="direction:ltr">
<div>
<div>
<div style="direction:ltr">Chris, </div>
<div style="direction:ltr"><br>
</div>
<div style="direction:ltr">Thanks for reaching out. Sorry that I could not respond \
earlier. </div> <div style="direction:ltr">I was flying from Tokyo to San Francisco. \
</div> <div style="direction:ltr"><br>
</div>
<div style="direction:ltr">I will let the secretariat know about it so that they can \
act accordingly. </div> <div style="direction:ltr"><br>
</div>
<div style="direction:ltr">In the mean time, if you could use your own path to get in \
touch with the author of the gem, it would be great as well as it is over the weekend \
in the U.S. </div> <div><br>
</div>
<div style="direction:ltr"></div>
<div>Additionally, I will Bering it up in the board meeting to make our process more \
effective on these things. </div> <div style="direction:ltr"><br>
</div>
<div style="direction:ltr">Best, </div>
<div style="direction:ltr"><br>
</div>
<div style="direction:ltr">Nat Sakimura</div>
<div style="direction:ltr">Chairmen of the board</div>
<div style="direction:ltr">OpenID Foundation </div>
</div>
</div>
<div> </div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_9191217291460633092m_-5598907359425363069divRplyFwdMsg" \
dir="dir="ltr""><font face="Calibri, sans-serif" color="#000000" \
style="font-size:11pt"><b>差出人:</b> security <<a \
href="mailto:openid-security-bounces@lists.openid.net" rel="noreferrer" \
target="_blank">openid-security-bounces@lists.openid.net</a>> (Chris <<a \
href="mailto:setenforce1@gmail.com" rel="noreferrer" \
target="_blank">setenforce1@gmail.com</a>> の代理)<br> <b>送信日時:</b> \
水曜日, 2月 27, 2019 9:09 午前<br> <b>宛先:</b> <a \
href="mailto:openid-security@lists.openid.net" rel="noreferrer" \
target="_blank">openid-security@lists.openid.net</a><br> <b>件名:</b> [security] \
Security issue with ruby-openid library <div> </div>
</font></div>
<div dir="ltr">
<div dir="ltr">
<div>openid-security mailing list:</div>
<div><br>
</div>
<div>I have discovered a remotely exploitable weakness in the ruby-openid library \
that Rails web applications use to integrate with OpenID Providers. Severity can \
range from medium to critical, depending on how a web application developer chose to \
implement the ruby-openid library. Developers who based their OpenID integration \
heavily on the "example app" provided by the project are at highest \
risk.</div> <div><br>
</div>
<div>I hesitate to provide too much detail publicly, as I would prefer to responsibly \
report the details of this issue privately, to ensure that the OpenID community has \
time to confirm my findings, implement appropriate code changes, and communicate \
effectively with affected developers.</div>
<div><br>
</div>
<div>Can one of the main admins on the list please suggest a viable approach? One \
of the primary maintainers of the ruby-openid project could contact me directly \
(reply to this email?), or I could be provided with a short list of maintainers to \
contact.</div> <div><br>
</div>
<div>Thank you</div>
<div>-</div>
<div>Chris</div>
</div>
</div>
</div>
</div>
</blockquote></div></div></div>
</blockquote></div>
_______________________________________________
security mailing list
security@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic