Описание
The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect
Impact
An open redirect vulnerability has been found in oauth2_proxy. Anyone who uses oauth2_proxy may potentially be impacted.
For a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.
tl;dr: People's authentication tokens could be silently harvested by an attacker. e.g:
facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/
Patches
@sauyon found the issue, and has submitted a patch.
This patch will be applied to the next release, which is scheduled for when this is publicly disclosed.
Workarounds
At this stage there is no work around.
Ссылки
- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gv
- https://nvd.nist.gov/vuln/detail/CVE-2020-5233
- https://github.com/oauth2-proxy/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2
- https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect
- https://github.com/oauth2-proxy/oauth2_proxy/releases/tag/v5.0.0
Пакеты
github.com/oauth2-proxy/oauth2-proxy
< 5.0.0
5.0.0
Связанные уязвимости
OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.
OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentica ...