XSS vulnerability in phpMyID
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: XSS vulnerability in phpMyID
- From: Raphael Geissert <atomo64@xxxxxxxxx>
- Date: Wed, 1 Oct 2008 20:08:06 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:x-debbugs-no-ack:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; bh=jVfeANbH/44pYuNxZ+8ALriC2FtI0DSVglVnsG9U/uE=; b=OCqDMDTmoCtqC29cQOBV5IUH5aOxvGFLIvq/6wGk5TXJ8+GOLEG/1vROiSBK4SUsOW E4uCphg6e+knspqf6ehhdEgn4/DfpsYX51X1y02u60wvS7SWMPBO+uBb/IeSIKaCxkyk HO8wnaTy1V2merDIUCWhbMIsaeHsLYuFYEAGI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:x-debbugs-no-ack:mime-version :content-type:content-transfer-encoding:content-disposition :message-id; b=wTRK7cZie22D5TG/KXcUSuLUjS9EgqOi3m1oaQhtXQo+gZIYGAr8hd1Dl6RQp/21ac 0Tli2afbUJy9kREmRZ2nYMVQ9Yc/JI/ILFdBtjCC0ajhCQe29obksp8v5IKvPcJ+4GRg 4yD2/YAZiXJbqZMucSOYNW7NvkJJsvMPOuKsk=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- User-agent: KMail/1.9.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Subject: XSS vulnerability in phpMyID
Credits: Raphael Geissert <atomo64@xxxxxxxxx>
Release date: 2008-10-27
Affects: v0.9 [23-Jul-2008]
Resources:
* Homepage: http://siege.org/projects/phpMyID/
* Demo: http://phpmyid.com
Background:
phpMyID is a single user OpenID identity provider implemented in PHP.
Problem description:
The MyID.php script does not sanitize the input it is supposed to be given
by the site where the user wants to be authenticated. When the return_to
address does not have the same "root" as trust_root it aborts, opening a
hole for XSS attacks.
Impact:
A user can be tricked and redirected to its vulnerable identity provider,
place where the specially crafted data exploits the security hole.
Example exploit:
MyID.php?openid_mode=checkid_immediate&openid_return_to=bar
&openid_trust_root=%3Cscript%3Ewindow.alert%28%29%3B%3C%2Fscript%3E
&openid_identity=foo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjeokkACgkQYy49rUbZzlrT4gCgiJx+DciYJ/gwGvofowlGHLUa
dXIAnRJKr7xKJG71jmabclNAx/GEmLa9
=A51u
-----END PGP SIGNATURE-----