Skip to content
cyberexploits
locallinuxtext

Apache Mod_Auth_OpenID - Session Stealing

Apache Mod_Auth_OpenID - Session Stealing

Published on 2012-05-24

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/linux/local/18917.txt7eac4c3a
raw
https://github.com/paranoid/mod_auth_openid/blob/master/CVE-2012-2760.markdown





# Security Advisory 1201

    Summary           : Session stealing

    Date              : May 2012

    Affected versions : all versions prior to mod_auth_openid-0.7

    ID                : mod_auth_openid-1201

    CVE reference     : CVE-2012-2760



# Details

Session ids are stored insecurely in /tmp/mod_auth_openid.db (default

filename). The db is world readable and the session ids are stored

unencrypted.



# Impact

If a user has access to the filesystem on the mod_auth_openid server,

they can steal all of the current openid authenticated sessions



# Workarounds

A quick improvement of the situation is to chmod 0400 the DB file.

Default location is /tmp/mod_auth_openid.db unless another location

has been configured in AuthOpenIDDBLocation.



# Solution

Upgrade to mod_auth_openid-0.7 or later:

http://findingscience.com/mod_auth_openid/releases



# Credits

This vulnerability was reported by Peter Ellehauge, ptr at groupon dot

com. Fixed by Brian Muller bmuller at gmail dot com



# References

mod_auth_openid project: http://findingscience.com/mod_auth_openid/



# History

15 May 2012

Discovered the vulnerability. Created private patch.



16 May 2012

Notified maintainer.

Obtained CVE-id



22 May 2012

Fixed by Brian Muller (bmuller at gmail dot com) in

mod_auth_openid-0.7 -

https://github.com/bmuller/mod_auth_openid/blob/master/ChangeLog



-- 

ptr
View on GitHub