Replies: 1 comment
-
|
https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L895-L903 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
It seems there is an issue the with redirect url validation.
If we use the url : https://www.sample.com/redirect?logout=https://www.example.com/logout.html
mod_auth_openidc plugin gives the correct error :
logout value "https://www.example.com" does not match the hostname of the current request "sample.com"
Validation works correctly
But if the hacker starts using special , the user is redirected to the hijacked/wrong domain without any error message.
Url : https://www.sample.com/redirect?logout=%2f%5cexample.com%2fa%3fhttp
s%3a%2f%2fsample.com%2flogout.html
User is redirected to : https://example.com
To me it seems like
https://github.com/zmartzone/mod_auth_openidc/blob/9d30ff7996b2042d70827fbf5b3f46f60149a7a0/src/mod_auth_openidc.c
Line Number 2900 function - oidc_validate_redirect_url needs to return false for the above redirect url
Also is there any alternative of a GET call where we specify the logout redirect url for a logout ?
Naman Jain
Beta Was this translation helpful? Give feedback.
All reactions