502591 – [security] - Eclipse cookies are currently included in the URL when oauth2_module fetch an access token

Bug 502591 - [security] - Eclipse cookies are currently included in the URL when oauth2_module fetch an access token

Summary: [security] - Eclipse cookies are currently included in the URL when oauth2_mo...

Status:	RESOLVED FIXED

Alias:	None

Product:	Community
Classification:	Eclipse Foundation
Component:	Accounts.eclipse.org (show other bugs)
Version:	unspecified
Hardware:	PC Mac OS X

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Eclipse Web
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	493458
	Show dependency tree

Reported:	2016-09-29 11:34 EDT by Christopher Guindon
Modified:	2017-01-03 16:02 EST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Guindon

2016-09-29 11:34:47 EDT

On the user dashboard, the oauth2_client module is currently adding $_REQUEST variables to the redirect url. 

http://cgit.drupalcode.org/oauth2_client/tree/oauth2_client.inc#n359

When a user clicks on the storage tab for the first time, the user is redirected to our oauth2_server and back to the account site.

Since the oauth2_client module include all of $_REQUEST, it including cookie values in the url.

This is vulnerable to Cross-domain Referer leakage:
https://portswigger.net/KnowledgeBase/issues/Details/00500400_CrossdomainRefererleakage

I think there is two things we need to do:

1- I will file a security issue against the oauth2_client module.
2- On our servers we can update php.ini:

I suggest we add a request_order directive with the following value:
; This directive determines which super global data (G,P,C,E & S) should
; be registered into the super global array REQUEST. If so, it also determines
; the order in which that data is registered. The values for this directive are
; specified in the same manner as the variables_order directive, EXCEPT one.
; Leaving this value empty will cause PHP to use the value set in the
; variables_order directive. It does not mean it will leave the super globals
; array REQUEST empty.
; Default Value: None
; Development Value: "GP"
; Production Value: "GP"
; http://php.net/request-order
request_order = "GP"

This will remove cookies in the $_REQUEST variable.

Comment 1 Christopher Guindon

2016-09-29 11:39:26 EDT

From PHP.NET:

http://php.net/manual/en/ini.core.php#ini.request-order

request_order string

This directive describes the order in which PHP registers GET, POST and Cookie variables into the _REQUEST array. Registration is done from left to right, newer values override older values.

If this directive is not set, variables_order is used for $_REQUEST contents.

Note that the default distribution php.ini files does not contain the 'C' for cookies, due to security concerns.

Comment 2 Christopher Guindon

2016-09-29 12:03:59 EDT

I posted a security issue on drupal.org:
https://security.drupal.org/node/161095

Comment 3 Christopher Guindon

2017-01-03 16:02:56 EST

We made the necessary changes on to remove this risk.