This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information
The Basics
Id:
44767
Status:
resolved
Priority:
Low/Low

People
Owner:
MART [...] cpan.org
Requestors:
MART [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Critical
Broken in:
(no value)
Fixed in:
  • 1.100099_002
  • 1.11



Subject: Net::OpenID::Consumer does not use a nonce to prevent replay attacks
Currently Net::OpenID::Consumer is completely ignoring the response_nonce sent by the server and not including a nonce of its own. It *does* use a proprietary mechanism to include a timestamp, which at least limits the window of time for a replay attack.
I believe this is fixed in Net-OpenID-Consumer-1.11 If you want to try it out, please make sure you've also installed the latest Net-OpenID-Common. Feel free to re-open (or start a new ticket) if I'm mistaken about this. Thanks for the report and sorry this took so long to get to... - Roger Crew (new co-maintainer as of a few weeks ago)


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.