iriscouch / browserid_couchdb

Mozilla BrowserID support plugin for CouchDB
Apache License 2.0
57 stars 9 forks source link

Security Issue: 'audience' parameter is controlled by client, can be spoofed #13

Closed snej closed 11 years ago

snej commented 11 years ago

The current code gets the "audience" parameter for verification from the "Host" header of the client's request:

Assertion = couch_util:get_value("assertion", Form, ""),
Audience = MochiReq:get_header_value("host"),
case verify_id(Assertion, Audience) of

This is insecure; the Audience string should be controlled only by server-side code. If the client is able to provide it, they can spoof the login, as described on Mozilla's security considerations page:

Do not trust the Host header sent by the user's browser. ... If you trust the user's browser to tell you the audience, then it becomes possible for a malicious web site to reuse assertions for its web site to log into your web site.

jhs commented 11 years ago

Thanks, Jens.

ssured commented 11 years ago

Hello,

I think this is a correct implementation, but it really hurts my setup. I'm running several different sites using nginx as a proxy to a couchdb running on localhost. As this one server is serving pages for both http://example1.com/_browserid and http://example2.com/_browserid, the current solution does not work for me.

Another option would be to provide an object for audience: audience = {_default: 'http://example.com', // is used for /_browserid examplea: 'http://example1.com', // is used for /_browserid/examplea url exampleb: 'http://example2.com'} // /_browserid/exampleb

Would that work out? Thanks a lot!