Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 315
    • Issues 315
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 8
    • Merge requests 8
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2477
Closed
Open
Issue created Feb 27, 2021 by Andreas Deschka@adeschka

[security:low] Wildcard in virtualhost allows being redirected to untrusted domains

One of our users has reported to us the following security problem, which could be used for phishing.

In Lemonldap 2.0.10 when you create a virtual host with a wildcard, for example *.subdomain.local.test, an attacker can forward users to every domain by using specially designed urls.

Target url: https://google.com#abc.subdomain.local.test/ (The slash at the end is important.)

Base64 encoded: aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=

Url which the user clicks on (looks like it is safe to use): https://myportal.local.test/url=aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=

User will now get redirected to https://google.com#abc.subdomain.local.test

I checked if cda is also affected, but from what I saw, it seems to be not. (We anyway do not have it activated.) The following line always rejects correctly: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CDA.pm#L29

I have no problems, with publishing this issue, when you do not have anything against it.

I used chrome version 88.0.4324.192 for testing.

Edited Jun 24, 2021 by Clément OUDOT
Assignee
Assign to
Time tracking