[IT-SecNots] [Security-news] OAuth 2.0 Client Login (Single Sign-On) - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-016

Project: OAuth 2.0 Client Login (Single Sign-On) [1]
Date: 2019-February-13
Security risk: *Critical* 17∕25
AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Multiple Vulnerabilities

Description: 
This module enables you to allow login into the Drupal websites through an
external provider over the OAuth 2.0 protocol.

The module sets a Drupal variable used for redirection based on unsanitised
user input, leading to an Open Redirect vulnerability. It also fails to
sanitise user input which is displayed as part of an error message by a test
authentication endpoint which is accessible by anonymous users, leading to an
XSS vulnerability.

Solution: 
Install the latest version:

  * If you use the miniOrange OAuth Client module for Drupal 7.x, upgrade to
    miniOrange OAuth Client 7.x-1.21 [3]

Reported By: 
  * Drew Webber  [4]

Fixed By: 
  * Drew Webber  [5] provisional security team member
  * Gaurav Sood  [6]

Coordinated By: 
  * Drew Webber  [7] provisional security team member


[1] https://www.drupal.org/project/miniorange_oauth_client
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_oauth_client/releases/7.x-1.21
[4] https://www.drupal.org/user/255969
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/3288491
[7] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news