Bug 1725740 (CVE-2019-13038)

Summary: CVE-2019-13038 mod_auth_mellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jhrozek, jorton, luhliari, ssorce, sssd-qe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_auth_mellon 0.15.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 22:34:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1725742, 1731052, 1731053, 1731054    
Bug Blocks: 1725743    

Description Marian Rehak 2019-07-01 11:24:06 UTC 
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

Upstream Issue:

https://github.com/Uninett/mod_auth_mellon/issues/35
Comment 1 Marian Rehak 2019-07-01 11:26:43 UTC 
Created mod_auth_mellon tracking bugs for this issue:

Affects: fedora-all [bug 1725742]
Comment 2 Riccardo Schirone 2019-07-08 11:58:05 UTC 
An initial patch can be found at https://github.com/Uninett/mod_auth_mellon/commit/9d28908e28ef70a12196c215503fb0075e1fd7f3 . However, according to https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 it is still possible to reproduce the flaw.
Comment 4 Riccardo Schirone 2019-07-08 15:48:11 UTC 
By omitting the `//` after `http:` or `https:` apr_uri_parse() function incorrectly parses the URL provided with ReturnTo=, returning a wrong URI without hostname. According to the logic in am_validate_redirect_url() URIs without hostname does not need to be checked, because they are supposed to be relative to the current host, however the browser interprets them differently and redirects the user to the page specified after `http:`/`https:`.
Comment 6 Riccardo Schirone 2019-07-18 08:52:59 UTC 
This flaw is caused by an incomplete fix for CVE-2019-3877.
Comment 7 Riccardo Schirone 2019-09-27 09:56:56 UTC 
Proposed patch upstream:
https://github.com/Uninett/mod_auth_mellon/pull/220
Comment 8 Riccardo Schirone 2019-10-25 16:36:48 UTC 
The upstream PR and issue have been closed as the mod_auth_mellon project has been archived.
See https://github.com/Uninett/mod_auth_mellon/blob/info/README.md .
Comment 9 Simo Sorce 2019-10-25 18:15:28 UTC 
We have moved development here[1] after Uninett decided to not fund development further
Please feel free to reopen issues or PRs there.

[1] https://github.com/latchset/mod_auth_mellon/
Comment 10 Riccardo Schirone 2019-11-26 14:06:51 UTC 
The fix initially proposed and noted in comment 7 has been merged in the new repository and it can be found at:
https://github.com/latchset/mod_auth_mellon/commit/5f220e771f2029a58b7d95f92e9ae6713bc88ce5
Comment 12 errata-xmlrpc 2020-03-31 19:09:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1003 https://access.redhat.com/errata/RHSA-2020:1003
Comment 13 Product Security DevOps Team 2020-03-31 22:34:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13038
Comment 14 errata-xmlrpc 2020-04-28 15:36:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1660 https://access.redhat.com/errata/RHSA-2020:1660