Community
Participate
Working Groups
On the user dashboard, the oauth2_client module is currently adding $_REQUEST variables to the redirect url. http://cgit.drupalcode.org/oauth2_client/tree/oauth2_client.inc#n359 When a user clicks on the storage tab for the first time, the user is redirected to our oauth2_server and back to the account site. Since the oauth2_client module include all of $_REQUEST, it including cookie values in the url. This is vulnerable to Cross-domain Referer leakage: https://portswigger.net/KnowledgeBase/issues/Details/00500400_CrossdomainRefererleakage I think there is two things we need to do: 1- I will file a security issue against the oauth2_client module. 2- On our servers we can update php.ini: I suggest we add a request_order directive with the following value: ; This directive determines which super global data (G,P,C,E & S) should ; be registered into the super global array REQUEST. If so, it also determines ; the order in which that data is registered. The values for this directive are ; specified in the same manner as the variables_order directive, EXCEPT one. ; Leaving this value empty will cause PHP to use the value set in the ; variables_order directive. It does not mean it will leave the super globals ; array REQUEST empty. ; Default Value: None ; Development Value: "GP" ; Production Value: "GP" ; http://php.net/request-order request_order = "GP" This will remove cookies in the $_REQUEST variable.
From PHP.NET: http://php.net/manual/en/ini.core.php#ini.request-order request_order string This directive describes the order in which PHP registers GET, POST and Cookie variables into the _REQUEST array. Registration is done from left to right, newer values override older values. If this directive is not set, variables_order is used for $_REQUEST contents. Note that the default distribution php.ini files does not contain the 'C' for cookies, due to security concerns.
I posted a security issue on drupal.org: https://security.drupal.org/node/161095
We made the necessary changes on to remove this risk.