Tuesday, August 28, 2012

CVE-2012-2760 Session Stealing in mod_auth_openid

As advisory describing, mod_auth_openid is vulnerable to session stealing. Because "Session ids are stored insecurely in /tmp/mod_auth_openid.db (default filename). The db is world readable and the session ids are stored unencrypted." [1]

Yes, this is important issue and file is accessible by local attackers. But more important issue is database file also accessible by remote attackers in some cases (For example, if application have some kind of arbitrary file download/access vulnerability like LFI) because file is located in tmp folder (apache can access tmp directory) and sqlite db is not encrypted.

SQLite is not supporting database file encryption but there are some external libraries that "provides transparent 256-bit AES encryption of database files". [2]

Dear mod_auth_openid developers, you should use database file encryption. :(

[1] http://seclists.org/fulldisclosure/2012/May/238
[2] http://sqlcipher.net/

No comments:

Post a Comment