security hole when requesting access token using the authorization method #27
Description
What steps will reproduce the problem?
1. try to get an access tokken using the "authorization method"
2. forget to send client_secret in post request
What is the expected output? What do you see instead?
FALSE
What version of the product are you using? On what operating system?
PDO version on Ubuntu
Please provide any additional information below.
->OAuth2.inc
public function grantAccessToken() {
...
if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)//doesnt matter if we send an empty client_secret
$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
...
-> PDOOAuth2.inc
protected function checkClientCredentials($client_id, $client_secret = NULL) {
...
if ($client_secret === NULL)
return $result !== FALSE;//should be ===
return $result["client_secret"] == md5($client_secret.SALT);
...
}
This is always true as long as you don't provide a client_secret in your post
request.
Easy to get an access token just by knowing the client's redirect-uri and it's
client_name (if you hijacked the auth_code)
This works perfectly, unfortunately..
<input type="text" name="client_id" value="xxx" />
<input type="text" name="grant_type" value="authorization_code" />
<input type="text" name="redirect_uri" value="http://xxx/client" />
<input type="text" name="code" value="6ed78050dc580a252dee311697ee5bfe" />
Original issue reported on code.google.com by seve...@wepixel.de on 16 Nov 2012 at 2:12