201801-02

Open redirection protection bypass

Background

An open redirection issue happens when a web application performs a redirection to a URL obtained from user input without proper validation. Such an issue allows attackers to craft URLs pointing to a trusted web site which will then redirect to another page under the control of the attacker. This is usually used to give phishing attacks the appearance of legitimacy, making it easier to trick victims into following a link.

SimpleSAMLphp 1.12.0 introduced a whitelisting mechanism to address multiple open redirection issues scattered around its code. This whitelisting mechanism enforces the need to manually specify all domains that should be allowed when a redirection happens to a user-provided URL, by means of the trusted.url.domains and trusted.url.regex configuration options. In order to make it as transparent as possible, the very same host where SimpleSAMLphp is running and all hosts found in remote metadata are automatically whitelisted, so that in practice, adding domain names to the white list shouldn’t be necessary.

Description

The particular implementation of this whitelisting mechanism was using a regular expression to validate user-provided URLs and extract the host information to search for it in the white list. This regular expression had an issue that allowed an attacker to build a URL that passed the whitelisting validation, while still being redirected by the web browser to a different URL under their control. The regular expression was not properly taking into account the authority part of the URL, so that its contents could be taken as the host to check against the white list, and the actual host as seen by the browser would be ignored, effectively skipping the validation.

The standard parse_url() PHP function is now used instead of a regular expression to validate and parse user-provided URLs. This function, as it was later brought to our attention, is strict with regard to regular slashes and backslashes, while most web browsers transform the latter into the former automatically. Therefore, as an additional validation mechanism, all URLs containing an authority part with a backslash character are now regarded as invalid, leading to an exception.

Affected versions

All SimpleSAMLphp versions between 1.12.0 and 1.15.1, both included.

Impact

An attacker may be able to manually craft URLs that could bypass the whitelisting validation mechanism and take advantage of the multiple endpoints in SimpleSAMLphp where a redirection is performed to a user-provided URL. This can be used to perform phishing attacks by providing inconspicuous links that appear legitimate to most users.

A mitigating factor is that some popular web browsers alert end users when performing a redirection to a URL that includes a username and password, making the attack less transparent and allowing the victim realize about it.

Resolution

Upgrade to the latest version.

Credit

This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.

A report detailing further issues in the initial fix was submitted by Juho Nurminen on January 16, 2018.