Moin OpenID module

fun with openid login ;) (xss).

Bug #789566 reported by David
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Moin OpenID module
Fix Released
Critical
Unassigned

Bug Description

I thought I should spend a few minutes looking for yet another launchpad xss bug ;)
***** The lp cookie totally should be httponly as well as being a secure cookie ... :/ https://bugs.launchpad.net/launchpad/+bug/96878

Reviewing the obvious candidate, which I had not looked into yet is the "special" login system.
So... Here is an example url that will show an alert(1) dialogue on https://help.launchpad.net:

https://help.launchpad.net/UserPreferences/?action=login&login=1&oidstage=1&openid.mode=x%3Cbody%20onload=alert%281%29%3E&stage=openid&janrain_nonce=;&openid.assoc_handle=x&openid.claimed_id=x&openid.identity=x&openid.lp.is_member=&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.lp=http%3A%2F%2Fns.launchpad.net%2F2007%2Fopenid-teams&openid.ns.sreg=

The issue in the help.launchpad.net domain - is that the openid.mode is not escaped in the openid error message shown on the page. There may be other parameters will also allow an attacker to inject html and content into the page. (I haven't checked them).

And it also works on https://dev.launchpad.net & https://wiki.ubuntu.com :/
https://dev.launchpad.net/UserPreferences/?action=login&login=1&oidstage=1&stage=openid&openid.mode=%22%3Cbody%20onload=alert%281%29%3E

https://wiki.ubuntu.com/UserPreferences/?action=login&login=1&oidstage=1&stage=openid&openid.mode=%22%3Cbody%20onload=alert%281%29%3E

https://dev.launchpad.net/UserPreferences/?action=login&login=1&oidstage=1&stage=openid&openid.mode=%22%3Cbody%20onload=alert%281%29%3E

and...
pastebin.canonical.com
https://pastebin.canonical.com/openid/complete?next=%22xj%3Cinput%3Eavascript%3Aalert%281%29&openid.mode=x%3Cbody%20onload=alert%281%29%3E

http get is not supposed to change the world ;)

See original description
David (d--)
description: updated
David (d--)
description: updated
Revision history for this message
Robert Collins (lifeless) wrote :

Thanks for reporting these, we'll get them addressed asap.

Changed in launchpad:
status: New → Triaged
importance: Undecided → Critical
Revision history for this message
William Grant (wgrant) wrote :

The moin bug was fixed upstream in 1.9.2 (http://hg.moinmo.in/moin/1.9/rev/e50b087c4572).

Revision history for this message
David (d--) wrote :

erh... moinmoin 1.6.3 is rather old :/

Revision history for this message
Curtis Hovey (sinzui) wrote :

Is this bug really in Lp. I think the sites listed describe the bug occurring in several other projects. I do not think any of these cited issues will be fixed by a committed change to launchpad's code. The error could be in the Lp moin and help theme projects, or in the pastebin, moinmoin and wordpress. Maybe the error is in the OpenId extension.

Revision history for this message
David (d--) wrote :

imho the way launchpad.net handles openid seems odd to me - I haven't seen any other openid system work the same - it seems like a "workaround" for a non-existing problem.
I haven't read the openid RFC or specification to so I am not able to comment any-more.

Revision history for this message
Curtis Hovey (sinzui) wrote :

Lp's OpenID is odd because it is not is a state we want it, but we are also not working on it. I do not expect SSO to be sane until login.launchpad.net is taken down and I can register/login from another OpenId provider. launchpad.net is not really an SSO provider. That service is really provided by login.ubuntu.com. Launchpad does not control login.launchpad.net. Launchpad.net should allow any OpenId provider to provide registration/login information.

Revision history for this message
David (d--) wrote :

Ping.

Revision history for this message
Robert Collins (lifeless) wrote :

We've upgraded some of our wikis and found a performance regression; the ubuntu wikis are .... large which makes this problematic; IS are on it but not migrating more until that issue is addressed.

The pastebin thing needs a separate effort put into it; I'll track that down shortly.

Revision history for this message
David (d--) wrote :

Fair enough.

Revision history for this message
Robert Collins (lifeless) wrote : Re: [Bug 789566] Re: fun with openid login ;) (xss).

RT #46457 (internal) for the pastebin issue (thanks wgrant).

Revision history for this message
David (d--) wrote :

Ping!

Revision history for this message
William Grant (wgrant) wrote :

IS has upgraded pastebin.canonical.com, so it should no longer be vulnerable. Most wikis have been upgraded, so I believe that leaves only help.launchpad.net and dev.launchpad.net. That's tentatively scheduled for this week some time.

Revision history for this message
David (d--) wrote :

Hmmm hopefully some day soon!

Revision history for this message
David (d--) wrote :

Has any further progress been made :) ?

Revision history for this message
David (d--) wrote :

Ok I am going to make this bug public in 24 hours until I open this bug unless I am told that I shouldn't :)

Revision history for this message
David (d--) wrote :

Wow my brain is Asleepz. What I meant was "If I am not told to keep this bug closed within 24 hours then I will 'open' at the end of that period".

Curtis Hovey (sinzui)
affects: launchpad → moin-openid
Revision history for this message
Robert Collins (lifeless) wrote :

AFAIK we still haven't upgraded 2 wiki's, our sysadmins are being
nagged daily about it :)

Revision history for this message
David (d--) wrote :

ah ok :)

Revision history for this message
David (d--) wrote :

And that's way more than enough time.

visibility: private → public
Revision history for this message
William Grant (wgrant) wrote :

It was indeed way more than enough time, but it's fixed now. The sysadmins ran into one final roadblock to upgrading the wikis last night, and it was resolved this morning. I believe everything is, finally, fixed.

William Grant (wgrant)
Changed in moin-openid:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.