[OpenID] OpenID as an attack relay
Simon Willison
simon at simonwillison.net
Tue Mar 20 10:22:10 UTC 2007
On 3/19/07, Martin Foster <martin at ethereal-realms.org> wrote:
> Some sites using my code are experiencing a phenomenon where users
> register, gain access and use a certain component of the site in order
> to attack another service. They use the systems check of an image URL
> (by retrieving it and getting information on the file) to craft attack
> strings used on vulnerable systems.
If I understand you correctly, the problem you are describing is that
if I wanted to run an exploit against
http://example.com/insecure-php-script.php I could use an OpenID
consumer site as a middle man to cover my tracks - by attempting to
log in somewhere as:
http://example.com/insecure-php-script.php?unescaped_cmd=rm%20-rf%20/
OpenID does nothing to prevent this, and I'm certain it would be
impossible for the protocol to guard against it. OpenID consumers can
and probably should implement throttling but other than that there's
not a lot that can be done. There are already plenty of ways for an
attacker to cover their tracks already so I don't see this as being
much of a problem with OpenID itself.
More information about the general
mailing list