[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE Request: CSRF vulnerability in OmniAuth request phase
From: Douwe Maan <douwe () gitlab ! com>
Date: 2015-05-26 11:56:13
Message-ID: etPan.55645f5d.19495cff.34b () Douwes-MacBook-Pro ! local
[Download RAW message or body]
Affected software:
- Ruby gem (library) OmniAuth[0]
- Gems that use OmniAuth, e.g. Devise[1]
Type of vulnerability:
Cross-Site Request Forgery
Original report by:
Mohamed Abdelbaset Elnoby, Senior Information Security Analyst at Seekurity.com[2]
[The website Seekurity.com isn't currently working.]
Summary:
OmniAuth is a library used in Ruby web applications to authenticate users using
external services, for example OAuth providers.
The request phase of OmniAuth is vulnerable to Cross-Site Request Forgery. This
is the step that actually connects an external account (on a connected OAuth
provider) to an internal account (on the web application itself). This means
that when a client is signed into an account on the web application, and signed
into an account on a connected OAuth provider, these two accounts can be
connected without user intent, user interaction or feedback to the user. From
here on out, the external account can be used to sign into the web application
as the internal account.
If the sign in action at a connected OAuth provider is vulnerable to CSRF, an
attacker can force the victim's client to be logged into the external service
using an account beloning to the attacker, can then force this external account
to be connected to the internal account, and can from here on out use their
account on the external service to log into the victim's account on the targeted
application.
We are aware of one large OAuth provider where the sign in action is or was
vulnerable to CSRF.
Issue report and patch:
https://github.com/intridea/omniauth/pull/809
References:
[0] https://github.com/intridea/omniauth
[1] https://github.com/plataformatec/devise
[2] https://twitter.com/symbiansymoh
Thanks,
Douwe Maan
GitLab
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic