[security:low] Wildcard in virtualhost allows being redirected to untrusted domains
One of our users has reported to us the following security problem, which could be used for phishing.
In Lemonldap 2.0.10 when you create a virtual host with a wildcard, for example *.subdomain.local.test
, an attacker can forward users to every domain by using specially designed urls.
Target url: https://google.com#abc.subdomain.local.test/
(The slash at the end is important.)
Base64 encoded: aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=
Url which the user clicks on (looks like it is safe to use): https://myportal.local.test/url=aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=
User will now get redirected to https://google.com#abc.subdomain.local.test
I checked if cda is also affected, but from what I saw, it seems to be not. (We anyway do not have it activated.) The following line always rejects correctly: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CDA.pm#L29
I have no problems, with publishing this issue, when you do not have anything against it.
I used chrome version 88.0.4324.192 for testing.