Replies: 3 comments 2 replies
-
there is some work to prevent that, see https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.9.3/src/mod_auth_openidc.c#L2396-L2458, but I just realized that the |
Beta Was this translation helpful? Give feedback.
-
which version of the module are you on? |
Beta Was this translation helpful? Give feedback.
-
Hi, I just tested the new version 2.4.9.4 and the fixed works very well. I have the following message on my browser :
Thank you again for your work. |
Beta Was this translation helpful? Give feedback.
-
Hi,
we have been using the mode_auth-openidc module for a long time and are very fond of your work.
Recently we have forged a URL for a phishing attack that redirects the user, after their authentication on our OP, to any site of our choice.
the forged url is as follows:
https://<oidc_callback>?iss=<issuer>&target_link_uri=https://FQDN_phishing\.<domain_your_oidc_callback>/
example:
https://myapplication.local/app/redirect_oidc?iss=<issuer>&target_link_uri=https://google.fr\.myapplication.local
After authentication, user is redirect to https://google.fr\.myapplication.loca
According to the OpenID Connect documentation,
https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
_
_
Does the module verify the value of the target_link_uri to prevent being used as an open redirector to external sites? and how to configure it in the module?
Best regards,
Meheni
Beta Was this translation helpful? Give feedback.
All reactions