[security:low] open redirect in CAS gateway mode
Concerned version
Version: 2.0.13
Summary
- Enable CAS issuer
- Enable access control
- http://auth.example.com/cas/login?service=http://hacker.example.com/&gateway=true
This issue was reported by Netcraft to one of my customers, meaning that is is being used in the wild.
Logs
URL check missing in:
if ( $gateway and $gateway eq "true" ) {
$self->logger->debug(
"Gateway mode requested, redirect without authentication");
$req->response( [ 302, [ Location => $service ], [] ] );
for my $s ( $self->ipath, $self->ipath . 'Path' ) {
$self->logger->debug("Removing $s from pdata")
if delete $req->pdata->{$s};
}
return PE_SENDRESPONSE;
}
Edited by Yadd