Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 329
    • Issues 329
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #1795

Closed
Open
Created Jun 11, 2019 by Maxime Besson@maxbes🔧Maintainer

[Security: low] CAS 3.0 Logout does not validate redirect URL

Concerned version

Version: %2.0.4

Summary

When logging out with /cas/logout?service=URL, the URL parameter is not validated.

See https://cwe.mitre.org/data/definitions/601.html for the reason why this is an issue

Additionnaly, the CAS specification recommends validating this parameter : https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#231-parameters

lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t is a way to reproduce the issue, since the target URL it uses isn't declared anywhere but accepted anyway.

CAS2.0 does not have this issue since its url parameter is validated by controlUrl

Possible fixes

We should run the target service= URL through isTrustedUrl.

However, implementing this behavior would cause regressions for users who are currently using the CAS issuer without application access control, or who are sending users to some generic logout page.

Since disabling application access control already puts all LLNG users at risk of arbitrary redirects (through /cas/login), it would make sense from a compatibility point of view to not do this proposed check if users have disabled application access controls on CAS.

Edited Jun 11, 2019 by Yadd
Assignee
Assign to
Time tracking