mod_auth_openid before 0.7 for Apache uses world-readable permissions for /tmp/mod_auth_openid.db, which allows local users to obtain session ids.
archives.neohapsis.com/archives/fulldisclosure/2012-05/0235.html
packetstormsecurity.org/files/112991/Mod_Auth_OpenID-Session-Stealing.html
secunia.com/advisories/49247
www.exploit-db.com/exploits/18917
www.mandriva.com/security/advisories?name=MDVSA-2012:114
www.osvdb.org/82139
www.securityfocus.com/bid/53661
exchange.xforce.ibmcloud.com/vulnerabilities/75813
github.com/bmuller/mod_auth_openid/blob/master/ChangeLog
github.com/bmuller/mod_auth_openid/pull/30