enjoyzhao2 / oauth2-php

Automatically exported from code.google.com/p/oauth2-php
MIT License
0 stars 0 forks source link

security hole when requesting access token using the authorization method #27

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. try to get an access tokken using the "authorization method"
2. forget to send client_secret in post request

What is the expected output? What do you see instead?
FALSE

What version of the product are you using? On what operating system?
PDO version on Ubuntu 

Please provide any additional information below.

->OAuth2.inc
  public function grantAccessToken() {
...
    if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)//doesnt matter if we send an empty client_secret
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
...

-> PDOOAuth2.inc
  protected function checkClientCredentials($client_id, $client_secret = NULL) {
 ...
      if ($client_secret === NULL)
          return $result !== FALSE;//should be ===

      return $result["client_secret"] == md5($client_secret.SALT);
 ...
  }
This is always true as long as you don't provide a client_secret in your post 
request.
Easy to get an access token just by knowing the client's redirect-uri and it's 
client_name (if you hijacked the auth_code)

This works perfectly, unfortunately..
      <input type="text" name="client_id" value="xxx" />
      <input type="text" name="grant_type" value="authorization_code" />
      <input type="text" name="redirect_uri" value="http://xxx/client" />
      <input type="text" name="code" value="6ed78050dc580a252dee311697ee5bfe" />

Original issue reported on code.google.com by seve...@wepixel.de on 16 Nov 2012 at 2:12