Bug 1805102 (CVE-2019-20479) - CVE-2019-20479 mod_auth_openidc: open redirect issue exists in URLs with slash and backslash
Summary: CVE-2019-20479 mod_auth_openidc: open redirect issue exists in URLs with slas...
Keywords:
Status: NEW
Alias: CVE-2019-20479
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1805104 1805748 1805749 1820662
Blocks: 1805106
TreeView+ depends on / blocked
 
Reported: 2020-02-20 09:21 UTC by Dhananjay Arunesh
Modified: 2020-04-03 15:13 UTC (History)
5 users (show)

Fixed In Version: mod_auth_openidc 2.4.1
Doc Type: If docs needed, set a value
Doc Text:
An open redirect flaw was discovered in mod_auth_openidc where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with slash and backslash at the beginning to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect him to another, possibly malicious, URL.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-02-20 09:21:01 UTC
A vulnerability was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.

Reference:
https://github.com/zmartzone/mod_auth_openidc/commit/02431c0adfa30f478cf2eb20ed6ea51fdf446be7
https://github.com/zmartzone/mod_auth_openidc/pull/453

Comment 1 Dhananjay Arunesh 2020-02-20 09:21:51 UTC
Created mod_auth_openidc tracking bugs for this issue:

Affects: fedora-all [bug 1805104]

Comment 2 Riccardo Schirone 2020-02-21 13:01:05 UTC
Statement:

It is not possible to reproduce the open redirect vulnerability in the versions of mod_auth_openidc as shipped in Red Hat Enterprise Linux 7, as a missing check makes the process crash, due to a NULL pointer dereference, instead of letting it continue with an invalid URL.

Comment 3 Riccardo Schirone 2020-02-21 13:03:27 UTC
The version of mod_auth_openidc as shipped with Red Hat Enterprise Linux 7 does not contain the patched code, however due to a missing check, this issue does not manifest as an Open Redirect flaw, but it triggers a NULL pointer dereference while parsing the logout URL. For this reason, the only impact on RHEL 7 is to Availability, because the httpd process would die, even though others can take other requests.

Comment 4 Riccardo Schirone 2020-02-21 13:04:45 UTC
This flaw is similar to CVE-2019-14857, but it is about a new way to bypass the security checks. This one involves URLs beginning with `/\`, while CVE-2019-14857 is about URLs beginning with `///`.


Note You need to log in before you can comment on or make changes to this bug.