Shibboleth SP Unvalidated Redirect?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SP Unvalidated Redirect?

bmontgomery

A recent security scan pointed out that one could create a link to the Shibboleth SP's /Login endpoint and set a URL into the "target" parameter on the query string, and once authentication is performed, the user is redirected to the location specified in the "target" regardless of where that URL is. 

For example, I one could create a link to the following URL: https://.../Shibboleth.sso/Login?entityID=...&target=http://google.com

That passes the user to the correct IdP, requires them to login, and then once they're logged in, they are redirected back to Shibboleth SP, and then the Shibboleth SP redirects them back to the target URL, which appears to be able to be set to anything. 

The Shibboleth SP be validating the target URL, should it not? Maybe I'm missing a configuration? Appreciate any assistance. Thanks!


--
Sincerely,

Brandon Montgomery
Director, Product Engineering
TeamDynamix: The Right Fit for Higher Ed
o: 877-752-6196 x114
m: 614-285-7596

Got .edu? Join your peers in our Higher Ed Community for networking, tips and more: https://community.teamdynamix.com.

--

The information contained in this message and any attachment may be proprietary, confidential, and privileged. If the reader of this message is not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited and may subject you to criminal or civil penalties. If you received this communication in error, please contact the sender immediately, and delete the communication (including attachments, if applicable) from any computer or network system.