[Security: low] CAS 3.0 Logout does not validate redirect URL
Concerned version
Version: %2.0.4
Summary
When logging out with /cas/logout?service=URL
, the URL parameter is not validated.
See https://cwe.mitre.org/data/definitions/601.html for the reason why this is an issue
Additionnaly, the CAS specification recommends validating this parameter : https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#231-parameters
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t is a way to reproduce the issue, since the target URL it uses isn't declared anywhere but accepted anyway.
CAS2.0 does not have this issue since its url
parameter is validated by controlUrl
Possible fixes
We should run the target service=
URL through isTrustedUrl
.
However, implementing this behavior would cause regressions for users who are currently using the CAS issuer without application access control, or who are sending users to some generic logout page.
Since disabling application access control already puts all LLNG users at risk of arbitrary redirects (through /cas/login
), it would make sense from a compatibility point of view to not do this proposed check if users have disabled application access controls on CAS.