[security] Request splitting/SSRF in php-openid

Kurt Seifried kurt at seifried.org
Fri Dec 26 03:39:25 UTC 2014 

Can you please post this to the oss-security list (
oss-securty at lists.openwall.com), you don't need to be a member, I can
approve the posting. This issue should get a CVE and public announcement as
several vendors ship it (I think). Thanks and merry xmas!

On Thu, Dec 25, 2014 at 5:59 PM, isciurus <isciurus at gmail.com> wrote:

> Hi,
>
> php-openid library treats %0A/%0D characters in hostname of an openid
> endpoint URL as valid and decodes them into special characters \r\n right
> before making a discovery request to that location. When it uses curl to
> make web requests, and I guess this is a recommended way, libcurl passes
> these invalid URLs to the TCP stream in certain cases, for example, when it
> is configured to work through proxy. With this discovery logic php-openid
> allows to craft arbitrary requests inside the org network or to a loopback
> server interface, which exposes the infrastructure to the outside and is
> quite bad.
>
> For some reason, hostnames are converted in an unsafe way:
>
> https://github.com/openid/php-openid/blob/0ef9be71c1ff6114d04bc93d5156c00b25653a1b/Auth/OpenID/URINorm.php#L205
>
>   function Auth_OpenID_pct_encoded_replace($mo)
>   {
>       return chr(intval($mo[1], 16));
>   }
>   ...
>   if (strpos($host, '%') !== -1) {
>       $host = strtolower($host);
>       $host = preg_replace_callback(
>                 Auth_OpenID_getEncodedPattern(),
>                 'Auth_OpenID_pct_encoded_replace', $host);       //
> <------------
>
> ..in contrast with path:
>
>   function Auth_OpenID_pct_encoded_replace_unreserved($mo)
>   {
>       $_unreserved = Auth_OpenID_getUnreserved();
>       $i = intval($mo[1], 16);
>       if ($_unreserved[$i]) {
>           return chr($i);
>       } else {
>           return strtoupper($mo[0]);
>       }
>       return $mo[0];
>   }
>   ...
>   $path = preg_replace_callback(
>          Auth_OpenID_getEncodedPattern(),
>          'Auth_OpenID_pct_encoded_replace_unreserved', $path);  //
> <----------
>
>
> Please, have a look at the attached diff, this should resolve the problem.
>
> Thanks,
> Andrey Labunets
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>


-- 
Kurt Seifried
kurt at seifried.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20141225/07e4c576/attachment.html>

More information about the security mailing list