OpenID4CF Updated To Fix Potential Security Issue

Last week I gave a 30 minute introduction to OpenID at our monthly developer tech talk lunch. Soon after the talk my co-worker Tim Allen sent me this article on a recently discovered security vulnerability in most open source OpenID implementations.

I was particularly interested because I maintain OpenID4CF, which is based on the OpenID4Java library. So I did a little more research into the issue and asked about it on the OpenID4Java mailing list. As it turns out OpenID4Java is potentially vulnerable to this attack, but a user on the list was able to give some advice on how to patch the library based on a fix committed to JOpenID.

Now I don't really know how exploitable this vulnerability is, but given how simple the fix was I went ahead and patched the fork of OpenID4Java I package for OpenID4CF and posted it to RIAForge. Hopefully OpenID4Java will be patched shortly, but in the meantime you can use the version I include with OpenID4CF if you want to protect against this potential vulnerability.

Comments
Brian Panulla's Gravatar The link you posted to your project site is broken.
# Posted By Brian Panulla | 7/27/10 1:22 PM
Nathan Mische's Gravatar @Brian - Fixed the link. Thanks!
# Posted By Nathan Mische | 7/28/10 9:52 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.