Issue 27: security hole when requesting access token using the authorization method
Status:  New
Owner: ----
Reported by seve...@wepixel.de, Nov 16, 2012
What steps will reproduce the problem?
1. try to get an access tokken using the "authorization method"
2. forget to send client_secret in post request

What is the expected output? What do you see instead?
FALSE

What version of the product are you using? On what operating system?
PDO version on Ubuntu 

Please provide any additional information below.

->OAuth2.inc
  public function grantAccessToken() {
...
    if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)//doesnt matter if we send an empty client_secret
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
...

-> PDOOAuth2.inc
  protected function checkClientCredentials($client_id, $client_secret = NULL) {
 ...
      if ($client_secret === NULL)
          return $result !== FALSE;//should be ===

      return $result["client_secret"] == md5($client_secret.SALT);
 ...
  }
This is always true as long as you don't provide a client_secret in your post request.
Easy to get an access token just by knowing the client's redirect-uri and it's client_name (if you hijacked the auth_code)


This works perfectly, unfortunately..
      <input type="text" name="client_id" value="xxx" />
      <input type="text" name="grant_type" value="authorization_code" />
      <input type="text" name="redirect_uri" value="http://xxx/client />
      <input type="text" name="code" value="6ed78050dc580a252dee311697ee5bfe" />