Page 1 of 1

OpenID Vulnerability Alert

Posted: Mon Aug 26, 2013 3:27 pm
by 10539yutaka
OpenID Foundation(OpenID Foundation website) have reported that

some OpenID Authentication 2.0 server implementations were found to be vulnerable.
Anyone who implements OP or RP on zimbra server (maybe as server extension) should take a look into the detail in their post below;

Vulnerability Alert – OpenID 2.0 Implementations Vulnerabilities found in some OPs | OpenID

OpenID Vulnerability Alert

Posted: Mon Sep 02, 2013 11:40 am
by 10539yutaka
The root cause of this is vulnerable implementation of OP side.

So something should be done in OP side eventually.

But in the mean while, there could be some workaround which RP itself can do.

One is stop using private associations and using only shared associations in RP side.
I guess you can do this with zimbraOpenidConsumerStatelessModeEnabled attribute in ZimbraLDAP if you use OpenID Consumer server extension in Zimbra NE package.
(I can only "guess" that because i can not find source code of OpenID Consumer server extension in Zimbra.:p)

OpenID Vulnerability Alert

Posted: Wed Jan 13, 2016 2:46 pm
by jkhondhu@zimbra.com
https://bugzilla.zimbra.com/show_bug.cgi?id=102276 - OpenID: Unsafe use of a serialized java object [CWE-502]

https://bugzilla.zimbra.com/show_bug.cgi?id=102227 - Patch java.commons.io for security exploit [CWE-502]

Re: OpenID Vulnerability Alert

Posted: Tue Jan 16, 2018 11:53 am
by sunshinejulie4
OpenID has not been working for me for years now