post logout URL validation open redirect

[zandbelt]

As reported on the e-mail list by AIMOTO Norihito:

I think mod_auth_openidc has the same Open Redirect as mod_auth_mellon.

• CVE-2019-3877
• CVE-2019-13038

• Open Redirection issue Uninett/mod_auth_mellon#35

These vulnerabilities are caused by the fact that uri.hostname becomes NULL as a result of parsing(apr_uri_parse()) the redirect URL.
Looking at the code of mod_auth_openidc, when uri.hostname is NULL, the hostname is not checked.
Like mod_auth_mellon, there is an Open Redirect.

---

static int oidc_handle_logout(request_rec *r, oidc_cfg *c,
oidc_session_t *session) {
〜
if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
const char *error_description = apr_psprintf(r->pool,
"Logout URL malformed: %s", url);
oidc_error(r, "%s", error_description);
return oidc_util_html_send_error(r, c->error_template,
"Malformed URL", error_description,
HTTP_INTERNAL_SERVER_ERROR);

            }
            const char *c_host = oidc_get_current_url_host(r);
            if ((uri.hostname != NULL)
                            && ((strstr(c_host, uri.hostname) == NULL)
                                            || (strstr(uri.hostname, c_host) == NULL))) {
                    error_description =
                                    apr_psprintf(r->pool,
                                                    "logout value \"%s\" does not match the hostname of the current request \"%s\"",
                                                    apr_uri_unparse(r->pool, &uri, 0), c_host);
                    oidc_error(r, "%s", error_description);
                    return oidc_util_html_send_error(r, c->error_template,
                                    "Invalid Request", error_description,
                                    HTTP_INTERNAL_SERVER_ERROR);
            }

---

I confirmed that Open Redirect occurs in v2.4.0.

Regards,
Norihito

[oss-aimoto]

There was still open redirect

#453