Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 313
    • Issues 313
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 7
    • Merge requests 7
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2535
Closed
Open
Issue created Jun 03, 2021 by Maxime Besson@maxbes🔧Maintainer

[security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application

Concerned version

Version: 2.0.11

Summary

  • Configure a CDA vhost (cda.example.com)
  • let attack_urldc = base64(http://your-untrusted-domain.com/?attack=http://cda.example.com)
  • Trick your target into opening http://auth.lemontest.lxd/?url=attack_url
  • User is redirected to http://your-untrusted-domain.com/?attack=http://cda.example.com&lemonldapcda=CDA_CODE
  • You may now login to http://cda.example.com?lemonldapcda=CDA_CODE as the target user

Example: http://auth.example.com/?url=aHR0cDovL3BlcmR1LmNvbS8/ZmFrZT1odHRwOi8vY2RhLmV4YW1wbGUuY29tLw==

Possible fixes

the trustedDomainsRe is missing a ^, this is also the case in !185 (merged)

This mistake causes trustedDomainsRe to be easily bypassed, but CDA is the feature which has the worst impact for this mistake

Edited Jun 24, 2021 by Clément OUDOT
Assignee
Assign to
Time tracking