My favorites | Sign in
Project Home Downloads Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions
Issue 27: security hole when requesting access token using the authorization method
2 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


 
Reported by seve...@wepixel.de, Nov 16, 2012
What steps will reproduce the problem?
1. try to get an access tokken using the "authorization method"
2. forget to send client_secret in post request

What is the expected output? What do you see instead?
FALSE

What version of the product are you using? On what operating system?
PDO version on Ubuntu 

Please provide any additional information below.

->OAuth2.inc
  public function grantAccessToken() {
...
    if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)//doesnt matter if we send an empty client_secret
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
...

-> PDOOAuth2.inc
  protected function checkClientCredentials($client_id, $client_secret = NULL) {
 ...
      if ($client_secret === NULL)
          return $result !== FALSE;//should be ===

      return $result["client_secret"] == md5($client_secret.SALT);
 ...
  }
This is always true as long as you don't provide a client_secret in your post request.
Easy to get an access token just by knowing the client's redirect-uri and it's client_name (if you hijacked the auth_code)


This works perfectly, unfortunately..
      <input type="text" name="client_id" value="xxx" />
      <input type="text" name="grant_type" value="authorization_code" />
      <input type="text" name="redirect_uri" value="http://xxx/client />
      <input type="text" name="code" value="6ed78050dc580a252dee311697ee5bfe" />


Powered by Google Project Hosting