[OpenID] OpenID and WordPress

Granqvist, Hans hgranqvist at verisign.com
Thu Jan 11 17:37:45 UTC 2007


Interesting: I looked at drupal 5.0 impl of OpenID and 
these issues are avoided by never using association 
handles.

In general, when checking some of our idp logs, I'm
always fascinated by the low ratio of RPs using
association handles, since check_auth calls are so easy
to MITM spoof.


> -----Original Message-----
> From: Dmitry Shechtman [mailto:damnian at gmail.com] 
> Sent: Thursday, January 11, 2007 9:19 AM
> To: Granqvist, Hans
> Cc: general at openid.net
> Subject: RE: [OpenID] OpenID and WordPress
> 
> Well, "clean, efficient and small" doesn't mean "secure"... ;)
> 
> I believe you should forward this to the Bryght guys.
> 
> 
> Regards,
> Dmitry
> =damnian
> 
> 
> -----Original Message-----
> From: Granqvist, Hans [mailto:hgranqvist at verisign.com]
> Sent: Thursday, January 11, 2007 19:14
> To: Dmitry Shechtman; Chris Messina; Trei Brundrett
> Cc: general at openid.net
> Subject: RE: [OpenID] OpenID and WordPress
> 
> Has anyone checked that code for SQL injection vulnerabilities?
> 
> (For example, line 197 in openid_module looks scary, but 
> maybe I'm missing something.)
> 
> -Hans 
> 
> 



More information about the general mailing list