Skip navigation.

Raphael's Blog

A look into a programmer's life

"OpenID" (a.k.a. OpenXSS) implementations...

Thursday, 25. September 2008, 01:47:07

, , ,

I have just took a quick look at yet another OpenID-related php script which is, just like the others I've seen, open to XSS attacks.

People, be prepared; probably by this weekend[1] I will be disclosing those vulnerabilities in at least three different so-called "products". When will people finally take security and quality seriously? (especially on auth stuff!)

[1] I'll be taking part in a small talk this Saturday (an introduction to GNU, Linux, and Debian; followed by an install fest) so I hope I will have time to review all of the openid-related scripts I'm aware of.

PTS less pedantic about failing watch filestwo OpenXSS advisories on their way to the public knowledge

Comments

Øyvind Østlund 25. September 2008, 09:14

Will you just do PHP scripts, or other languages like Python as well?


- ØØ -

Anonymous 25. September 2008, 14:39

Clemens writes:

I bet you'll be talking/posting on how to discover these issues? Not that I'd use OpenID in any of my projects, but I sometimes use OpenID to log in and would like to test the sites I use (but don't tell anyone, German laws made this illegal a while ago - even if you're the developer you're not allowed to use tools that could discover such issues…).

Raphael 25. September 2008, 18:38

Will you just do PHP scripts, or other languages like Python as well?


only PHP scripts atm; I'm not keen on python so I don't know if I'll ever take a look at those, but I just noticed there are some openid perl packages already in the Debian archive which I might cover as well.

I bet you'll be talking/posting on how to discover these issues?


I may disclose how to exploit them if the code is really ugly and the programmer didn't care at all about security. In other cases I will probably wait a couple of days before providing POC exploits.

(but don't tell anyone, German laws made this illegal a while ago - even if you're the developer you're not allowed to use tools that could discover such issues…).


yeah, I'm aware of such an, IMO, stupid law. Although developers could detect most of the XSS issues if they actually read the php manual.

Anonymous 27. September 2008, 23:19

arkoldthos writes:

owneds

How to use Quote function:

  1. Select some text
  2. Click on the Quote link

Write a comment

Comment
(BBcode and HTML is turned off for anonymous user comments.)

If you can't read the words, press the small reload icon.


Smilies

PHP, Webmasters and Development

  • HTTP Protocol

    The HTTP protocol specs at the World Wide Web Consortium

  • Text Link Ads

    Make money by placing text links

  • chainki

    The world's biggest collection of links that anyone can edit

Projects and others

  • KCheckGMail

    A GMail Notifier for KDE

  • PhishTank

    Out of the Net, into the Tank

  • BadVista

    The Free Software Foundation campaign opposing Microsoft Vista adoption and spotlighting free software alternatives

  • My Debian Packages Overview

    QA overview page for my Debian packages

  • My page at Debian's Wiki

    Some more Debian-specific information about myself

  • Debian

    Debian is a free operating system (OS) for your computer.Debian GNU/Linux provides more than a pure OS: it comes with over 18733 packages, precompiled software for easy installation on your machine.

  • Project Honey Pot

    Distributed system for identifying spammers and the spambots they use to scrape addresses from your website.

Useful resources