security bug in PHP-server-1.1

Niels Berkers niels at quotar.com
Tue Apr 10 16:03:08 PDT 2007 

Niels Berkers wrote:
> Hi All,
> 
> i found a security bug in PHP-server-1.1
> 
> with this line set in the example consumer I call my openID server:
> Which will result in two javascript alert popups. I'm not much of a 
> hacker but i know this could lead to much bigger problems like 
> injections in PHP. The leased you should do is strip the htmltags from 
> all $sreg values in function setRequestInfo or better in function 
> Server_requestSregData ( earlier in the data processing )
> ---------------------
> $auth_request->addExtensionArg('sreg', 'policy_url', 
> 'http://www.openid.net">openid</a><script>alert("test")</script><a 
> href="http://www.openid.net');
> ---------------------
> 
> 
> 
> function setRequestInfo($info=null, $sreg=null)
> {
>      if (!isset($info)) {
>          unset($_SESSION['request']);
>      } else {
>          $_SESSION['request'] = serialize($info);
>          $_SESSION['sreg_request'] = serialize($sreg);
>      }
> }
> 
> function getRequestInfo()
> {
>      if (isset($_SESSION['request'])) {
>          return array(unserialize($_SESSION['request']),
>                       unserialize($_SESSION['sreg_request']));
>      } else {
>          return false;
>      }
> }
> 


on common.php line 271+     patched function
The input fields on the persona page aren't cleaned either.


function Server_requestSregData($request)
{
     $optional = array();
     $required = array();
     $policy_url = null;

     $request = Auth_OpenID::fixArgs($request);

     if (array_key_exists('openid.sreg.required', $request)) {
         $required = explode(",", 
htmlentities(strip_tags($request['openid.sreg.required']),ENT_QUOTES));
     }

     if (array_key_exists('openid.sreg.optional', $request)) {
         $optional = explode(",", 
htmlentities(strip_tags($request['openid.sreg.optional']),ENT_QUOTES));
     }

     if (array_key_exists('openid.sreg.policy_url', $request)) {
         $policy_url = 
htmlentities(strip_tags($request['openid.sreg.policy_url'],ENT_QUOTES));
     }

     return array($optional, $required, $policy_url);
}

br,

Niels Berkers
http://openid.quotar.com/ ( patched ;) )

More information about the Dev mailing list