[OpenID] OpenID as an attack relay
Lukas Rosenstock
lukas.rosenstock at identity20.eu
Tue Mar 20 10:30:58 UTC 2007
Am 20.03.2007, 11:22 Uhr, schrieb Simon Willison <simon at simonwillison.net>:
> If I understand you correctly, the problem you are describing is that
> if I wanted to run an exploit against
> http://example.com/insecure-php-script.php I could use an OpenID
> consumer site as a middle man to cover my tracks - by attempting to
> log in somewhere as:
>
> http://example.com/insecure-php-script.php?unescaped_cmd=rm%20-rf%20/
>
> OpenID does nothing to prevent this, and I'm certain it would be
> impossible for the protocol to guard against it. OpenID consumers can
> and probably should implement throttling but other than that there's
> not a lot that can be done.
The example you have given could maybe prevented by not allowing query
parameters in an identity URL. Current identities look like
"username.provider.com" or "provider.com/username", in rare cases
"provider.com/users/username.htm", it would't hurt to make query
parameters invalid in an identity URL.
On the other hand ...
> There are already plenty of ways for an
> attacker to cover their tracks already so I don't see this as being
> much of a problem with OpenID itself.
... it propably wouldn't help much.
Lukas
More information about the general
mailing list