danprime / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

PHP library : timestamp check security bug #71

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
In Oauth we have double security check: nonce and timestamp
Server remembers nonces for some time (for instance 1 day) so when reqest 
comes server checks nonce, and then timestamp (if expired)

So when someone sniffs client reqest this request can't be repeated (nonce 
alredy used, or when on the server side nonce was forgotten after 1 day, and 
hacker will try to repeat request after 2 days - timestamp is expired)
But if client has wrong local time (let's say client time: December 15, 
server side December 13) sniffer can save request, wait for one day, and 
repeat request (it will be December 14, nonce on server side will be 
forgotten)

For now, sniffer can REPEAT request IF client sends wrong time (grater than 
server time)

on line 624 server checks timestamp:

if ($now - $timestamp > $this->timestamp_threshold) {

SHOULD BE:

if (abs($now - $timestamp) > $this->timestamp_threshold) {

Original issue reported on code.google.com by przemysl...@gmail.com on 12 Dec 2008 at 9:35

GoogleCodeExporter commented 8 years ago

Original comment by leah.culver on 14 Jan 2009 at 9:57

GoogleCodeExporter commented 8 years ago

Original comment by morten.f...@gmail.com on 18 May 2009 at 6:06

GoogleCodeExporter commented 8 years ago
This issue was closed by revision r1163.

Original comment by morten.f...@gmail.com on 5 Jan 2010 at 11:30