Security Issue: 'audience' parameter is controlled by client, can be spoofed

[snej]

The current code gets the "audience" parameter for verification from the "Host" header of the client's request:

Assertion = couch_util:get_value("assertion", Form, ""),
Audience = MochiReq:get_header_value("host"),
case verify_id(Assertion, Audience) of

This is insecure; the Audience string should be controlled only by server-side code. If the client is able to provide it, they can spoof the login, as described on Mozilla's security considerations page:

Do not trust the Host header sent by the user's browser. ... If you trust the user's browser to tell you the audience, then it becomes possible for a malicious web site to reuse assertions for its web site to log into your web site.

[jhs]

Thanks, Jens.

[ssured]

Hello,

I think this is a correct implementation, but it really hurts my setup. I'm running several different sites using nginx as a proxy to a couchdb running on localhost. As this one server is serving pages for both http://example1.com/_browserid and http://example2.com/_browserid, the current solution does not work for me.

Another option would be to provide an object for audience: audience = {_default: 'http://example.com', // is used for /_browserid examplea: 'http://example1.com', // is used for /_browserid/examplea url exampleb: 'http://example2.com'} // /_browserid/exampleb

Would that work out? Thanks a lot!