-
Notifications
You must be signed in to change notification settings - Fork 181
Open Redirection issue #35
Comments
Hi @garudlaksha1, did you find a way to solve, or work around this issue? |
/logout?ReturnTo= is also open. |
@gurtzoo: Logout should have been addressed at the same time as login, in commit 9d28908. It is handled by this piece of code: https://github.com/Uninett/mod_auth_mellon/blob/v0.14.1/auth_mellon_handler.c#L891-L897 Are you still seeing this issue when you set the |
Hi, Configure in the Location /mellon the trying result, we go to the http://www.malicious.com site! |
@gurtzoo: Thank you for providing a more details! Using your directions I was able to reproduce the issue locally, and have a fix ready. We would like to credit you for discovering this vulnerability -- what name would you prefer we use? You GitHub profile is a bit sparse 🙂 |
Hi, i have updated my profile name! |
@gurtzoo: Thanks! The fix is not available quite yet. I am wrapping up the details for publishing a security update of mod_auth_mellon; I hope to get everything in place now, but it may not be ready until tomorrow morning. |
@gurtzoo: I have now released version 0.14.2 which includes a fix for this vulnerability. The commit that fixes the vulnerability is 6204142. |
Hi @olavmrk , trying result, we go to the http://www.malicious.com site! Discovered by https://github.com/awakenine |
thank you for letting us know about this issue! This is the third time that we have seen an issue due to a mismatch between how For the previous fixes, we could work around it by blacklisting characters in the URL, but I don't see how to do something similar to solve this issue. This means that a more complicated fix will be necessary to solve this problem, which requires more work. Unfortunately other tasks here at Uninett needs to take priority, so I don't have time to look at this issue until mid-August at the earliest. |
This was assigned CVE-2019-13038. |
I've investigated a bit. Absense of "//" for apr_uri_parse means that URI is in format [scheme]:[path] e.g.
You can add one more condition under the line mod_auth_mellon/auth_mellon_util.c Line 118 in 5c29028
/* http and https schemes without hostname are invalid. */
if (!uri.hostname) {
return HTTP_BAD_REQUEST;
} I created pull request with this fix. After that you can also remove previous backslash check as it is no longer required. |
I can confirm that @awakenine 's fix works. I also can't think of a reason to accept a ReturnTo argument that contains a scheme but no hostname in the URI, but maybe others could. If there is no use-case for such argument, I would vote for merging the patch. OTOH, I don't completely agree with removal of the backslash check. Maybe my knowledge of the codebase is still not so deep, but it appears that the backslash check is sort of orthogonal to the parsing and moreover At the very least, the commit message of the patch that touches |
@jhrozek, thank you for your comment. As I understand from this conversation backslash check was introduced as a fix to previous bypass. Now, it should be covered with hostname check because
Please let me know if you can bypass that. |
Closing this issue as part of archiving this project. See the announcement for details: https://github.com/Uninett/mod_auth_mellon/blob/info/README.md |
Hello,
In IDP initiated login for Mellon, ReturnTo parameter could be really anything and that gets added as relayState. Once assertion is consumed, mellon redirects to relayState arbitrarily. This leads to Open Redirect security issue. Ideally, redirection code should check if its in same domain. Can this be tracked?
For example,
https://host/admin/auth/login?ReturnTo=https://www.google.com&IdP=
Will redirect to Google after successful assertion. This would also lead to Phishing kind of attack.
The text was updated successfully, but these errors were encountered: