CVE-2017-18076

Vulnerability

In OmniAuth versions before 1.3.2, the strategy.rb file uses request.params to store parameters into the session under the key 'omniauth.params'. Because request.params includes both GET and POST parameters, the authenticity_token value (or other sensitive data submitted via POST) is persisted in the session and remains accessible in the environment during the callback phase. This affects all OmniAuth versions prior to 1.3.2. [1][2][4]

Exploitation

An attacker does not need direct network access to the victim's session; the vulnerability is triggered simply by the normal OAuth flow where a user submits a POST request containing sensitive parameters (such as authenticity_token) during the request phase. The parameters are stored in the session server-side and then exposed in the callback phase environment. No special authentication or user interaction beyond the standard OAuth login flow is required. [1][2][4]

Impact

Sensitive POST parameters, including CSRF tokens like authenticity_token, are unintentionally retained in the session and made available during the callback phase. This could lead to information disclosure of tokens meant to be transient, potentially enabling cross-site request forgery attacks or other session-based exploits that rely on token reuse. The scope is limited to the parameters that are submitted via POST, but the exposure occurs regardless of whether the application intends to store them. [2][4]

Mitigation

The fix is included in OmniAuth version 1.3.2, released on July 3, 2017. The patch changes session['omniauth.params'] = request.params to session['omniauth.params'] = request.GET, ensuring only GET parameters are stored in the session. Users should upgrade to OmniAuth 1.3.2 or later. No workaround is documented for versions prior to 1.3.2. [2][4]