Replies: 1 comment
-
|
https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L895-L903 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
It seems there is an issue the with redirect url validation.
If we use the url : https://www.sample.com/redirect?logout=https://www.example.com/logout.html
mod_auth_openidc plugin gives the correct error :
logout value "https://www.example.com" does not match the hostname of the current request "sample.com"
Validation works correctly
But if the hacker starts using special , the user is redirected to the hijacked/wrong domain without any error message.
Url : https://www.sample.com/redirect?logout=%2f%5cexample.com%2fa%3fhttp
s%3a%2f%2fsample.com%2flogout.html
User is redirected to : https://example.com
To me it seems like
https://github.com/zmartzone/mod_auth_openidc/blob/9d30ff7996b2042d70827fbf5b3f46f60149a7a0/src/mod_auth_openidc.c
Line Number 2900 function - oidc_validate_redirect_url needs to return false for the above redirect url
Also is there any alternative of a GET call where we specify the logout redirect url for a logout ?
Naman Jain
Beta Was this translation helpful? Give feedback.
All reactions