Shibboleth acting as open redirect
Max Spicer
max.spicer at york.ac.uk
Thu Oct 10 10:56:21 EDT 2019
Thanks, both!
On Thu, 10 Oct 2019 at 13:11, Robert Bradley <robert.bradley at it.ox.ac.uk>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/10/2019 11:39, Max Spicer wrote:
> | Hi,
> |
> | It's come to my attention that our Shibboleth installation is
> | acting as as open redirect via the Logout endpoint. For example,
> | https://www.york.ac.uk/Shibboleth.sso/Logout?return=https://news.bbc.c
> o.uk
> |
> |
> This could be used in phishing attacks to impersonate our domain.
> |
> | Is this behaviour standard, or is it a mis-configuration on our
> | part? How should we best mitigate this? One option might be to
> | simply disable this endpoint.
> |
>
> The short answer is possibly both: it's both the standard/default
> behaviour, and a potential mis-configuration depending on your point
> of view. On version 2.5 of the SP and above, adding
> redirectLimit="exact" to the <Sessions/> element will mitigate the
> open redirect issue without needing to restart the Shibboleth
> daemon/service, with the full set of options documented at:
>
> https://wiki.shibboleth.net/confluence/display/SP3/Sessions
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
>
> Earlier versions lack support for this attribute, and will always
> perform open redirects. That said, if your version of the SP software
> does not recognise the redirectLimit attribute, you'll want to upgrade
> in any case.
>
> - --
> Dr Robert Bradley
> Identity and Access Management Team, IT Services, University of Oxford
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAl2fH8oACgkQlGGnynav
> 4776OA/+IyiOOTUyrnEP/iMgqBdPI1RszQCPXD+cQctRex7W54oTdAOYTEjTPpS6
> FP7JnCazIqvr3NgwsiCO8OekL2tTbgsCFBYu9APZuahBXW4fKus02fUzHYwq2OUM
> iCo2QVXvb1eNrn7InJvysSEc+2Eb9jMJ+uIChKYibdoHqdBqvn0CyW4FH/H6UX+X
> NhX5wQIzb5i1N+NpURSYO4QHvebpNyKN/axa6GyPa6ZktbrJirBSKXXfY4AZwB9g
> ms5dmJdHW+4PnSYmSdEq+w84w+ye2KBjBe7krJFMhqeLB3sos/bpML6zNWQo5yFf
> U7MXbpAg91YLBajlrpfcouQGYmPwThqZ7gfOawoRone4P1zuy89acHBoEkjiiP/a
> eT9+I+oQ4iJB9v8yjLo1ZaRto9mCCGu2iCSl0ZgqRGoRJgzy3aqi2Rnp5wM67Hwu
> UxeAKeXO3QNLUQeOLBkpcUjYS/G9bFuy+0qKuKnnQYuorm0mvm6bFJQ8c4gOGGwV
> 7y1mCO8RxlYBqp8VvhbEllZ4WXVTzj0aOYFvdSs+/E5YC3B+aN5Tfny0ZZ8FIBJK
> vQHaoarZA3OGOUUXHrZKvGOWYC6eALbq2S8WcYxbj5rytPT+UJjplX4BZZcM7Cn5
> 3za8xio2zFEwFNrPksfpIQA9JnxuujypwO0bdF2CgAdQWv32t5g=
> =bxEq
> -----END PGP SIGNATURE-----
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191010/b9a87d90/attachment.html>
More information about the users
mailing list