Summary
The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.
There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)
Details
|
$logoutRedirectUrl = $url; |
Previous module checked the url against the valid service urls.
PoC
The docker instructions from the README.md run an image with a vulnerable config.
Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google
Impact
Impacted configs have
and are most impacted if they also have
'skip_logout_page' -> true,
Summary
The logout endpoint accepts a
urlquery parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)
Details
simplesamlphp-module-casserver/src/Controller/LogoutController.php
Line 104 in 21418f7
Previous module checked the url against the valid service urls.
PoC
The docker instructions from the README.md run an image with a vulnerable config.
Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google
Impact
Impacted configs have
'enable_logout' => true,and are most impacted if they also have