mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL. Upstream Issue: https://github.com/Uninett/mod_auth_mellon/issues/35
Created mod_auth_mellon tracking bugs for this issue: Affects: fedora-all [bug 1725742]
An initial patch can be found at https://github.com/Uninett/mod_auth_mellon/commit/9d28908e28ef70a12196c215503fb0075e1fd7f3 . However, according to https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 it is still possible to reproduce the flaw.
By omitting the `//` after `http:` or `https:` apr_uri_parse() function incorrectly parses the URL provided with ReturnTo=, returning a wrong URI without hostname. According to the logic in am_validate_redirect_url() URIs without hostname does not need to be checked, because they are supposed to be relative to the current host, however the browser interprets them differently and redirects the user to the page specified after `http:`/`https:`.
This flaw is caused by an incomplete fix for CVE-2019-3877.
Proposed patch upstream: https://github.com/Uninett/mod_auth_mellon/pull/220
The upstream PR and issue have been closed as the mod_auth_mellon project has been archived. See https://github.com/Uninett/mod_auth_mellon/blob/info/README.md .
We have moved development here[1] after Uninett decided to not fund development further Please feel free to reopen issues or PRs there. [1] https://github.com/latchset/mod_auth_mellon/
The fix initially proposed and noted in comment 7 has been merged in the new repository and it can be found at: https://github.com/latchset/mod_auth_mellon/commit/5f220e771f2029a58b7d95f92e9ae6713bc88ce5
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1003 https://access.redhat.com/errata/RHSA-2020:1003
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13038
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1660 https://access.redhat.com/errata/RHSA-2020:1660