[dev] horde/lib/Auth/yahoo.php security problem

Vijay Mahrra vijay.mahrra at es.easynet.net
Wed Aug 27 09:31:13 PDT 2003


I've recently been experimenting with various authentication libraries in
horde and noticed a problem with the yahoo auth.  It authenticates correctly
if any valid yahoo username, e.g. for me

vmahrra
vmahrra at yahoo.com

and the correct password.  However if I enter

vmahrra at example.com

I get logged in successfully with ANY password.  And not only that, I can
login as anyuser at anydomain and I get successfully authenticated and can
browse the horde installation, e.g. shared calenders in kronolith etc.  This
obviously has issues if the horde installation is not configured to use a
domain as part of the users id with the storage backends.

I wrote this simple code (diff attached) at the top of the _authenticate
method to do a 'rough and ready' validation of the domain part, basically
checking if 'yahoo.' is contained if the userID has a domain part.

But I have noticed something about yahoos authentication system.  I can using
the same username part, i.e. vmahrra against any yahoo domain!

e.g.

vmahrra at yahoo.co.uk
vmahrra at yahoo.es

using any of the above userIDs with the correct password for 'vmahrra' will
log me in.  So perhaps the yahoo auth ought to be modified further to actually
'chop-off' the domain part altogether when auth'ing or something?

Vijay
--
vijay mahrra                        office: +34 917894652
systems developer/administrator     mobile: +34 679993442
easynet españa (madrid)         http://www.es.easynet.net

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: yahoo.php.diff
Type: text/x-diff
Size: 1005 bytes
Desc: not available
Url : http://lists.horde.org/archives/dev/attachments/20030827/d9269da7/yahoo.php-0001.bin


More information about the dev mailing list