Impact
It has been discovered that oidc_validate_redirect_url() does not parse URLs the same way as most browsers do. As a result, this function can be bypassed (e.g. with https://a.com\@b.com/) and leads to an Open Redirect vulnerability in the logout functionality.
Patches
This bug has been fixed by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG).
Workarounds
If you can't upgrade to mod_auth_openidc 2.4.9, this vulnerability can be mitigated by configuring mod_auth_openidc to only allow redirection whose destination matches a given regular expression (https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L916-L924).
References
For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;
- The maintainers, by opening an issue on this repository.
thomas-chauchefoin-sonarsource Analyst
Impact
It has been discovered that
oidc_validate_redirect_url()does not parse URLs the same way as most browsers do. As a result, this function can be bypassed (e.g. withhttps://a.com\@b.com/) and leads to an Open Redirect vulnerability in the logout functionality.Patches
This bug has been fixed by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG).
Workarounds
If you can't upgrade to
mod_auth_openidc2.4.9, this vulnerability can be mitigated by configuringmod_auth_openidcto only allow redirection whose destination matches a given regular expression (https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L916-L924).References
For more information
If you have any questions or comments about this advisory, you can contact: