Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5241 to the following vulnerability: Name: CVE-2011-5241 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5241 Assigned: 20121106 Reference: http://www.unrest.ca/peerjacking Services_Twitter 0.6.3 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
The flawed code is in Services/Twitter.php: 489 public function getRequest() ... 494 if ($this->getOption('use_ssl')) { 495 // XXX ssl won't work with ssl_verify_peer set to true, which is. 496 // the default in HTTP_Request2 497 $this->request->setConfig('ssl_verify_peer', false); 498 } 499 return $this->request; So even if it's configured to use SSL, it won't. Seems like the real problem might be in php-pear-HTTP-Request2, if the above comment is actually accurate for the currently shipped version.
Created php-pear-Services-Twitter tracking bugs for this issue Affects: fedora-all [bug 873907] Affects: epel-6 [bug 873908]
Sorry, this should be 2011, not 2012.