XSS vulnerability in phpMyID

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS vulnerability in phpMyID
From: Raphael Geissert <atomo64@xxxxxxxxx>
Date: Wed, 1 Oct 2008 20:08:06 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:x-debbugs-no-ack:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; bh=jVfeANbH/44pYuNxZ+8ALriC2FtI0DSVglVnsG9U/uE=; b=OCqDMDTmoCtqC29cQOBV5IUH5aOxvGFLIvq/6wGk5TXJ8+GOLEG/1vROiSBK4SUsOW E4uCphg6e+knspqf6ehhdEgn4/DfpsYX51X1y02u60wvS7SWMPBO+uBb/IeSIKaCxkyk HO8wnaTy1V2merDIUCWhbMIsaeHsLYuFYEAGI=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:x-debbugs-no-ack:mime-version :content-type:content-transfer-encoding:content-disposition :message-id; b=wTRK7cZie22D5TG/KXcUSuLUjS9EgqOi3m1oaQhtXQo+gZIYGAr8hd1Dl6RQp/21ac 0Tli2afbUJy9kREmRZ2nYMVQ9Yc/JI/ILFdBtjCC0ajhCQe29obksp8v5IKvPcJ+4GRg 4yD2/YAZiXJbqZMucSOYNW7NvkJJsvMPOuKsk=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: KMail/1.9.9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject: XSS vulnerability in phpMyID
Credits: Raphael Geissert <atomo64@xxxxxxxxx>
Release date: 2008-10-27
Affects: v0.9 [23-Jul-2008]

Resources:
    * Homepage: http://siege.org/projects/phpMyID/
    * Demo: http://phpmyid.com

Background:
    phpMyID is a single user OpenID identity provider implemented in PHP.

Problem description:
    The MyID.php script does not sanitize the input it is supposed to be given
    by the site where the user wants to be authenticated. When the return_to
    address does not have the same "root" as trust_root it aborts, opening a
    hole for XSS attacks. 

Impact:
    A user can be tricked and redirected to its vulnerable identity provider,
    place where the specially crafted data exploits the security hole.

Example exploit:
    MyID.php?openid_mode=checkid_immediate&openid_return_to=bar
            &openid_trust_root=%3Cscript%3Ewindow.alert%28%29%3B%3C%2Fscript%3E
            &openid_identity=foo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjeokkACgkQYy49rUbZzlrT4gCgiJx+DciYJ/gwGvofowlGHLUa
dXIAnRJKr7xKJG71jmabclNAx/GEmLa9
=A51u
-----END PGP SIGNATURE-----

Prev by Date: Adobe Flash Player plug-in null pointer dereference and browser crash
Next by Date: Layered Defense Research Advisory: Juniper Netscreen Firewall Cross-Site-Scripting (XSS) event log injection
Previous by thread: Re: Adobe Flash Player plug-in null pointer dereference and browser crash
Next by thread: Layered Defense Research Advisory: Juniper Netscreen Firewall Cross-Site-Scripting (XSS) event log injection
Index(es):
- Date
- Thread