Bug #44767 for Net-OpenID-Consumer: Net::OpenID::Consumer does not use a nonce to prevent replay attacks

RT for rt.cpan.org

This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information

The Basics

Id:	44767
Status:	resolved
Priority:	0/
Queue:	Net-OpenID-Consumer

People

Owner:	MART [...] cpan.org
Requestors:	MART [...] cpan.org
Cc:
AdminCc:

Bug Information

Severity:	Critical
Broken in:	(no value)
Fixed in:	1.100099_002 1.11

History Show all quoted text

Fri Apr 03 00:48:01 2009 MART [...] cpan.org - Ticket created

Subject:

Net::OpenID::Consumer does not use a nonce to prevent replay attacks

Currently Net::OpenID::Consumer is completely ignoring the response_nonce sent by the server and not including a nonce of its own. It *does* use a proprietary mechanism to include a timestamp, which at least limits the window of time for a replay attack.

Wed Nov 02 12:33:40 2011 crew [...] cs.stanford.edu - Fixed in 1.100099_002 added

Sun Nov 06 14:18:54 2011 crew [...] cs.stanford.edu - Fixed in 1.11 added

Sat Nov 12 20:29:13 2011 crew [...] cs.stanford.edu - Correspondence added

I believe this is fixed in Net-OpenID-Consumer-1.11 If you want to try it out, please make sure you've also installed the latest Net-OpenID-Common. Feel free to re-open (or start a new ticket) if I'm mistaken about this. Thanks for the report and sorry this took so long to get to... - Roger Crew (new co-maintainer as of a few weeks ago)

Sat Nov 12 20:29:14 2011 The RT System itself - Status changed from 'new' to 'open'

Sat Nov 12 20:30:18 2011 crew [...] cs.stanford.edu - Status changed from 'open' to 'resolved'