[security] Request splitting/SSRF in php-openid

isciurus isciurus at gmail.com
Fri Dec 26 04:06:00 UTC 2014 

Thank you. Just sent it to oss-securty at lists.openwall.com. Happy holidays
to you too!

Andrey

On Thu, Dec 25, 2014 at 7:39 PM, Kurt Seifried <kurt at seifried.org> wrote:

> Can you please post this to the oss-security list (
> oss-securty at lists.openwall.com), you don't need to be a member, I can
> approve the posting. This issue should get a CVE and public announcement as
> several vendors ship it (I think). Thanks and merry xmas!
>
> On Thu, Dec 25, 2014 at 5:59 PM, isciurus <isciurus at gmail.com> wrote:
>
>> Hi,
>>
>> php-openid library treats %0A/%0D characters in hostname of an openid
>> endpoint URL as valid and decodes them into special characters \r\n right
>> before making a discovery request to that location. When it uses curl to
>> make web requests, and I guess this is a recommended way, libcurl passes
>> these invalid URLs to the TCP stream in certain cases, for example, when it
>> is configured to work through proxy. With this discovery logic php-openid
>> allows to craft arbitrary requests inside the org network or to a loopback
>> server interface, which exposes the infrastructure to the outside and is
>> quite bad.
>>
>> For some reason, hostnames are converted in an unsafe way:
>>
>> https://github.com/openid/php-openid/blob/0ef9be71c1ff6114d04bc93d5156c00b25653a1b/Auth/OpenID/URINorm.php#L205
>>
>>   function Auth_OpenID_pct_encoded_replace($mo)
>>   {
>>       return chr(intval($mo[1], 16));
>>   }
>>   ...
>>   if (strpos($host, '%') !== -1) {
>>       $host = strtolower($host);
>>       $host = preg_replace_callback(
>>                 Auth_OpenID_getEncodedPattern(),
>>                 'Auth_OpenID_pct_encoded_replace', $host);       //
>> <------------
>>
>> ..in contrast with path:
>>
>>   function Auth_OpenID_pct_encoded_replace_unreserved($mo)
>>   {
>>       $_unreserved = Auth_OpenID_getUnreserved();
>>       $i = intval($mo[1], 16);
>>       if ($_unreserved[$i]) {
>>           return chr($i);
>>       } else {
>>           return strtoupper($mo[0]);
>>       }
>>       return $mo[0];
>>   }
>>   ...
>>   $path = preg_replace_callback(
>>          Auth_OpenID_getEncodedPattern(),
>>          'Auth_OpenID_pct_encoded_replace_unreserved', $path);  //
>> <----------
>>
>>
>> Please, have a look at the attached diff, this should resolve the problem.
>>
>> Thanks,
>> Andrey Labunets
>>
>> _______________________________________________
>> security mailing list
>> security at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-security
>>
>>
>
>
> --
> Kurt Seifried
> kurt at seifried.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20141225/90f52657/attachment-0001.html>

More information about the security mailing list