Shibboleth acting as open redirect
Max Spicer
max.spicer at york.ac.uk
Thu Oct 10 07:39:00 EDT 2019
Hi,
It's come to my attention that our Shibboleth installation is acting as as
open redirect via the Logout endpoint. For example,
https://www.york.ac.uk/Shibboleth.sso/Logout?return=https://news.bbc.co.uk
This could be used in phishing attacks to impersonate our domain.
Is this behaviour standard, or is it a mis-configuration on our part? How
should we best mitigate this? One option might be to simply disable this
endpoint.
Thanks,
Max Spicer
--
Max Spicer - Identity Systems Developer
Enterprise Systems Group, IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191010/cf5e7d06/attachment.html>
More information about the users
mailing list