GHSA-3x57-m5p4-rgh4: 
PHP vulnerability analysis and mitigation

A security vulnerability was identified in the Consumer component of ZendOpenId (and Zend_OpenId in ZF1) that allows unauthorized login using arbitrary OpenID accounts through a malicious OpenID Provider. The vulnerability, tracked as GHSA-3x57-m5p4-rgh4, was discovered in versions 2.0.0 to 2.0.2 of the zendframework/zendopenid package and was patched in version 2.0.2 (Zend Advisory).

The vulnerability stems from two main issues in the OpenID implementation: First, the framework accepts OpenID tokens with arbitrary signed elements without properly validating that all required parameters are signed. Second, the Consumer component does not properly verify if critical elements like openid.claimedid and openid.endpointurl are signed. According to the OpenID specification, certain parameters including opendpoint, returnto, responsenonce, assochandle, and when present, claimed_id and identity, must be signed (Zend Advisory).

The vulnerability allows attackers to impersonate any OpenID Identity (such as MyOpenID, Google, etc.) without having control of the actual OpenID Provider or knowing any secret information. This enables unauthorized access to systems relying on ZendOpenId for authentication (Zend Advisory).

The vulnerability was addressed in Zend Framework 1 version 1.12.4 and ZendOpenId version 2.0.2. The fixes include verifying that the openidopendpoint value matches the previous server related to the same openidassochandle, and validating that all required parameters are present in the openid_signed list before performing signature validation (Zend Advisory).

The vulnerability was identified by Christian Mainka and Vladislav Mladenov, researchers at the Ruhr-University Bochum, who worked with the Zend Framework team to develop the fix. The solution was implemented by Enrico Zimuel from Zend (Zend Advisory).