Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFxeHctbTVmai1mN2d2
The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect
Impact
An open redirect vulnerability has been found in oauth2_proxy. Anyone who uses oauth2_proxy may potentially be impacted.
For a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.
tl;dr: People's authentication tokens could be silently harvested by an attacker. e.g:
facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/
Patches
@sauyon found the issue, and has submitted a patch.
diff --git a/oauthproxy.go b/oauthproxy.go
index 72ab580..f420df6 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -517,7 +517,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
// IsValidRedirect checks whether the redirect URL is whitelisted
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
switch {
- case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
+ case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect)
This patch will be applied to the next release, which is scheduled for when this is publicly disclosed.
Workarounds
At this stage there is no work around.
Permalink: https://github.com/advisories/GHSA-qqxw-m5fj-f7gvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFxeHctbTVmai1mN2d2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L
Identifiers: GHSA-qqxw-m5fj-f7gv, CVE-2020-5233
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-5233
- https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/
- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gv
- https://github.com/oauth2-proxy/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2
- https://github.com/oauth2-proxy/oauth2_proxy/releases/tag/v5.0.0
- https://github.com/advisories/GHSA-qqxw-m5fj-f7gv
Blast Radius: 1.0
Affected Packages
go:github.com/oauth2-proxy/oauth2-proxy
Dependent packages: 1Dependent repositories: 0
Downloads:
Affected Version Ranges: < 5.0.0
Fixed in: 5.0.0
All affected versions: 1.1.1, 2.0.1, 3.0.0, 3.1.0, 3.2.0
All unaffected versions: