ghsa-qqxw-m5fj-f7gv
Vulnerability from github
Published
2021-12-20 18:02
Modified
2021-05-24 21:20
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L
Summary
The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect
Details

Impact

An open redirect vulnerability has been found in oauth2_proxy. Anyone who uses oauth2_proxy may potentially be impacted.

For a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.

tl;dr: People's authentication tokens could be silently harvested by an attacker. e.g: facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/

Patches

@sauyon found the issue, and has submitted a patch.

diff --git a/oauthproxy.go b/oauthproxy.go index 72ab580..f420df6 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -517,7 +517,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error) // IsValidRedirect checks whether the redirect URL is whitelisted func (p *OAuthProxy) IsValidRedirect(redirect string) bool { switch { - case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"): + case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"): return true case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"): redirectURL, err := url.Parse(redirect)

This patch will be applied to the next release, which is scheduled for when this is publicly disclosed.

Workarounds

At this stage there is no work around.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/oauth2-proxy/oauth2-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T21:20:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nAn open redirect vulnerability has been found in `oauth2_proxy`. Anyone who uses `oauth2_proxy` may potentially be impacted. \n\nFor a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.\n\n**tl;dr**: People\u0027s authentication tokens could be silently harvested by an attacker. e.g:\n`facebook.com/oauth.php?clientid=123\u0026state=abc\u0026redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/`\n\n### Patches\n\n@sauyon found the issue, and has submitted a patch. \n\n```\ndiff --git a/oauthproxy.go b/oauthproxy.go\nindex 72ab580..f420df6 100644\n--- a/oauthproxy.go\n+++ b/oauthproxy.go\n@@ -517,7 +517,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)\n // IsValidRedirect checks whether the redirect URL is whitelisted\n func (p *OAuthProxy) IsValidRedirect(redirect string) bool {\n \tswitch {\n-\tcase strings.HasPrefix(redirect, \"/\") \u0026\u0026 !strings.HasPrefix(redirect, \"//\"):\n+\tcase strings.HasPrefix(redirect, \"/\") \u0026\u0026 !strings.HasPrefix(redirect, \"//\") \u0026\u0026 !strings.HasPrefix(redirect, \"/\\\\\"):\n \t\treturn true\n \tcase strings.HasPrefix(redirect, \"http://\") || strings.HasPrefix(redirect, \"https://\"):\n \t\tredirectURL, err := url.Parse(redirect)\n```\n\nThis patch will be applied to the next release, which is scheduled for when this is publicly disclosed.\n\n### Workarounds\n\nAt this stage there is no work around.",
  "id": "GHSA-qqxw-m5fj-f7gv",
  "modified": "2021-05-24T21:20:17Z",
  "published": "2021-12-20T18:02:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5233"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2"
    },
    {
      "type": "WEB",
      "url": "https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2_proxy/releases/tag/v5.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "The pattern \u0027/\\domain.com\u0027 is not disallowed when redirecting, allowing for open redirect"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.