[OpenID] OpenID as an attack relay

Lukas Rosenstock lukas.rosenstock at identity20.eu
Tue Mar 20 10:30:58 UTC 2007

Am 20.03.2007, 11:22 Uhr, schrieb Simon Willison <simon at simonwillison.net>:

> If I understand you correctly, the problem you are describing is that
> if I wanted to run an exploit against
> http://example.com/insecure-php-script.php I could use an OpenID
> consumer site as a middle man to cover my tracks - by attempting to
> log in somewhere as:
> http://example.com/insecure-php-script.php?unescaped_cmd=rm%20-rf%20/
> OpenID does nothing to prevent this, and I'm certain it would be
> impossible for the protocol to guard against it. OpenID consumers can
> and probably should implement throttling but other than that there's
> not a lot that can be done.

The example you have given could maybe prevented by not allowing query  
parameters in an identity URL. Current identities look like  
"username.provider.com" or "provider.com/username", in rare cases  
"provider.com/users/username.htm", it would't hurt to make query  
parameters invalid in an identity URL.

On the other hand ...

> There are already plenty of ways for an
> attacker to cover their tracks already so I don't see this as being
> much of a problem with OpenID itself.

... it propably wouldn't help much.


More information about the general mailing list