We discovered a potential issue in the Web-Server Application scenario (also
termed "Authorization Code") of zf-oauth2.
An attacker can pass a
user_id value in the query string when using the
scenario, and associate the authorization code and the token to a different
user. Passing the
user_id in the query string is a bad practice; the user
identity should be managed server side using a value from original authorization
(e.g. from the original login page).
The vulnerability exists in all stable versions of zf-oauth2 from 1.1.0 forward.
Only applications using the
authorization_code scenario are affected.
We removed the ability to specify the
user_id in the query string when
/authorize resource, and we now use
Zend\Authorization\AuthorizationService as the default mechanism for managing
the identity of the user under this OAuth2 scenario.
The patch fixing the issues has been applied in the following versions:
Additionally, we have released corresponding versions of the Apigility skeleton, used by our installer, to ensure they use these versions of zf-oauth2 by default.
If you are using
zf-oauth2 with the web application/authorization code
scenario, we recommend upgrading zf-oauth2 to either 1.2.1 or 1.3.1. This can
usually be done using
composer update zfcampus/zf-oauth2.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org