Bug 1725740 (CVE-2019-13038) - CVE-2019-13038 mod_auth_mellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft
Summary: CVE-2019-13038 mod_auth_mellon: Open Redirect via the login?ReturnTo= substri...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-13038
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1725742 1731052 1731053 1731054
Blocks: 1725743
TreeView+ depends on / blocked
 
Reported: 2019-07-01 11:24 UTC by Marian Rehak
Modified: 2021-07-27 09:34 UTC (History)
6 users (show)

Fixed In Version: mod_auth_mellon 0.15.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 22:34:24 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1003 0 None None None 2020-03-31 19:09:54 UTC
Red Hat Product Errata RHSA-2020:1660 0 None None None 2020-04-28 15:37:00 UTC

Description Marian Rehak 2019-07-01 11:24:06 UTC 
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

Upstream Issue:

https://github.com/Uninett/mod_auth_mellon/issues/35
Comment 1 Marian Rehak 2019-07-01 11:26:43 UTC 
Created mod_auth_mellon tracking bugs for this issue:

Affects: fedora-all [bug 1725742]
Comment 2 Riccardo Schirone 2019-07-08 11:58:05 UTC 
An initial patch can be found at https://github.com/Uninett/mod_auth_mellon/commit/9d28908e28ef70a12196c215503fb0075e1fd7f3 . However, according to https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 it is still possible to reproduce the flaw.
Comment 4 Riccardo Schirone 2019-07-08 15:48:11 UTC 
By omitting the `//` after `http:` or `https:` apr_uri_parse() function incorrectly parses the URL provided with ReturnTo=, returning a wrong URI without hostname. According to the logic in am_validate_redirect_url() URIs without hostname does not need to be checked, because they are supposed to be relative to the current host, however the browser interprets them differently and redirects the user to the page specified after `http:`/`https:`.
Comment 6 Riccardo Schirone 2019-07-18 08:52:59 UTC 
This flaw is caused by an incomplete fix for CVE-2019-3877.
Comment 7 Riccardo Schirone 2019-09-27 09:56:56 UTC 
Proposed patch upstream:
https://github.com/Uninett/mod_auth_mellon/pull/220
Comment 8 Riccardo Schirone 2019-10-25 16:36:48 UTC 
The upstream PR and issue have been closed as the mod_auth_mellon project has been archived.
See https://github.com/Uninett/mod_auth_mellon/blob/info/README.md .
Comment 9 Simo Sorce 2019-10-25 18:15:28 UTC 
We have moved development here[1] after Uninett decided to not fund development further
Please feel free to reopen issues or PRs there.

[1] https://github.com/latchset/mod_auth_mellon/
Comment 10 Riccardo Schirone 2019-11-26 14:06:51 UTC 
The fix initially proposed and noted in comment 7 has been merged in the new repository and it can be found at:
https://github.com/latchset/mod_auth_mellon/commit/5f220e771f2029a58b7d95f92e9ae6713bc88ce5
Comment 12 errata-xmlrpc 2020-03-31 19:09:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1003 https://access.redhat.com/errata/RHSA-2020:1003
Comment 13 Product Security DevOps Team 2020-03-31 22:34:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13038
Comment 14 errata-xmlrpc 2020-04-28 15:36:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1660 https://access.redhat.com/errata/RHSA-2020:1660
Note You need to log in before you can comment on or make changes to this bug.