Ticket #702 (closed defect: fixed)
openid spoofing vulnerability
| Reported by: | wnorris | Owned by: | wnorris |
|---|---|---|---|
| Priority: | high | Component: | openid |
| Severity: | normal | Keywords: | |
| Cc: |
Description
The plugin is vulnerable to a trivial method of spoofing the OpenID it *appears* an individual logged in from. This is only possible when "create local accounts" is enabled. In this case, an individual can post a comment to create an account, then go into their local WordPress profile and change their URL. Subsequent comments will show this modified URL, but with the OpenID logo giving the appearance that they authenticated with that URL.
This vulnerability is limited to the spoofing of OpenID *appearance*... it does NOT allow a user to gain additional access to anything.
Thanks to Shack Dougall: http://willnorris.com/2007/10/plugin-updates#comment-13359
Change History
Note: See
TracTickets for help on using
tickets.
proposed solution: if the user has one or more OpenIDs set on their account, then their website must match one of them. When they add the first OpenID, we would need to change their website property and notify the user as to what just happened. Anytime they try to manually modify the website, we need to check it against their configured OpenIDs and display an error to the user if it doesn't match one of them.