CVE Request: Host based account hijack attack on php-openid

[Zemn mez <zemnmez () gmail com>]

An authorization hijacking attack can be carried out on a webserver using
php-openid for authentication.

In example usage (which the vast majority of sites use verbatim),
php-openid checks the `openid.realm` parameter against the PHP variable
`$SERVER['SERVER_NAME']`. (
https://github.com/openid/php-openid/blob/fb4cdfcaa578436c451f8e8687dfb61165074488/examples/consumer/common.php#L109
)

Apache after 1.3 and many other webservers derive SERVER_NAME from the HOST
header.

The attacker coerces the victim into logging into his server with OpenID
provider P. The victim has an account on a website S that also uses P for
authentication.

When the victim logs into the attacker's site, the attacker captures the
request made to it via the victim's browser upon successful login.

The attacker makes a login request to S with the request made to it by the
victim to log into their website, changing the `Host` HTTP header to
reflect the attacker's server.

The captured request represents an authorization destined for the
attacker's evil.com that the victim has allowed a login to evil.com through
the OpenID provider P. By changing the Host header and making the request
to the vulnerable website S, S thinks the openid.realm through SERVER_NAME
should be evil.com, and accepts the OpenID login, allowing the attacker
access to the victim's account on S.


Zemnmez and Nathaniel "XMPPwocky" Theis