Shibboleth acting as open redirect
Robert Bradley
robert.bradley at it.ox.ac.uk
Thu Oct 10 08:11:02 EDT 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 10/10/2019 11:39, Max Spicer wrote:
| Hi,
|
| It's come to my attention that our Shibboleth installation is
| acting as as open redirect via the Logout endpoint. For example,
| https://www.york.ac.uk/Shibboleth.sso/Logout?return=https://news.bbc.c
o.uk
|
|
This could be used in phishing attacks to impersonate our domain.
|
| Is this behaviour standard, or is it a mis-configuration on our
| part? How should we best mitigate this? One option might be to
| simply disable this endpoint.
|
The short answer is possibly both: it's both the standard/default
behaviour, and a potential mis-configuration depending on your point
of view. On version 2.5 of the SP and above, adding
redirectLimit="exact" to the <Sessions/> element will mitigate the
open redirect issue without needing to restart the Shibboleth
daemon/service, with the full set of options documented at:
https://wiki.shibboleth.net/confluence/display/SP3/Sessions
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
Earlier versions lack support for this attribute, and will always
perform open redirects. That said, if your version of the SP software
does not recognise the redirectLimit attribute, you'll want to upgrade
in any case.
- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAl2fH8oACgkQlGGnynav
4776OA/+IyiOOTUyrnEP/iMgqBdPI1RszQCPXD+cQctRex7W54oTdAOYTEjTPpS6
FP7JnCazIqvr3NgwsiCO8OekL2tTbgsCFBYu9APZuahBXW4fKus02fUzHYwq2OUM
iCo2QVXvb1eNrn7InJvysSEc+2Eb9jMJ+uIChKYibdoHqdBqvn0CyW4FH/H6UX+X
NhX5wQIzb5i1N+NpURSYO4QHvebpNyKN/axa6GyPa6ZktbrJirBSKXXfY4AZwB9g
ms5dmJdHW+4PnSYmSdEq+w84w+ye2KBjBe7krJFMhqeLB3sos/bpML6zNWQo5yFf
U7MXbpAg91YLBajlrpfcouQGYmPwThqZ7gfOawoRone4P1zuy89acHBoEkjiiP/a
eT9+I+oQ4iJB9v8yjLo1ZaRto9mCCGu2iCSl0ZgqRGoRJgzy3aqi2Rnp5wM67Hwu
UxeAKeXO3QNLUQeOLBkpcUjYS/G9bFuy+0qKuKnnQYuorm0mvm6bFJQ8c4gOGGwV
7y1mCO8RxlYBqp8VvhbEllZ4WXVTzj0aOYFvdSs+/E5YC3B+aN5Tfny0ZZ8FIBJK
vQHaoarZA3OGOUUXHrZKvGOWYC6eALbq2S8WcYxbj5rytPT+UJjplX4BZZcM7Cn5
3za8xio2zFEwFNrPksfpIQA9JnxuujypwO0bdF2CgAdQWv32t5g=
=bxEq
-----END PGP SIGNATURE-----
More information about the users
mailing list