Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19979

Open Redirect Vulnerability on login page

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • No
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      During penetration tests an open-redirect vulnerability has been discovered on the login page.

      Data in the 'then' argument that's normally present in the login page link are not verified in any way: https://oauth-openshift.apps.example.com/login/kube:admin?then=%2Foauth%2Fauthorize%3Fclient_id%3Dconsole%26idp%3Dkube%253Aadmin%26redirect_uri%3Dhttps%253A%252F%252Fconsole-openshift-console.apps.example.com%252Fauth%252Fcallback%26response_type%3Dcode%26scope%3Duser%253Afull%26state%3D6f302f1d

      Attacker can prepare a legit looking login page link with a modified 'then' argument pointing to a completely different site, which is going to redirect the user to said site post login, effectively enabling a phishing attack.
For example: https://oauth-openshift.apps.example.com/login/ad_login?then=%2F%5C%2Fgoogle.com%2F

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Proces a login to OpenShift Web Console and check the link for the oauth-openshift.

              slaznick@redhat.com Stanislav Láznička (Inactive)
              rhn-support-rludva Radomir Ludva
              None
              None
              YaDan Pei YaDan Pei
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: