I think Andy's right here... when I try this on my CAS server, which does *not* have the wildcard service registry entry, I get (correctly) redirected to the "Application not authorized to use SSO" page.
--Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] [image: The New School] On Thu, Sep 27, 2018 at 5:15 AM Andy Ng <[email protected]> wrote: > Hi Ganesh, > > There is a default service that will secretly enable all https based > service called "HTTPSandIMAPS-10000001.json" > > https://github.com/apereo/cas/blob/master/webapp/resources/services/HTTPSandIMAPS-10000001.json > > Refer to this to how to disable such service: > > https://groups.google.com/a/apereo.org/forum/#!msg/cas-user/yD9WXk3n1K8/Hy0ssGBiAAAJ;context-place=forum/cas-user > > See if this is your problem? > > Cheers! > - Andy > > > On Thursday, 27 September 2018 15:49:28 UTC+8, Bergner, Arnold wrote: >> >> Hi Ganesh, >> >> >> >> when I submit “/login?TARGET=https://yahoo.com” to our cas v5.2, I get >> an “application not authorized” error, so no redirection is happening. >> >> >> >> Maybe it’s a hole resulting from your service definitions? >> >> >> >> Regards, >> >> Arnold >> >> >> >> *Von:* [email protected] [mailto:[email protected]] *Im Auftrag von *Ganesh >> Prasad >> *Gesendet:* Donnerstag, 27. September 2018 08:31 >> *An:* CAS Community <[email protected]> >> *Betreff:* [cas-user] TARGET URL parameter associated with samlValidate >> can be misused to redirect to malicious sites (?) >> >> >> >> Hi, >> >> >> >> We recently commissioned a third-party security audit of our application, >> and one of the findings was this: >> >> >> >> Cross-Site Redirection (Medium Impact, Moderate Difficulty in exploiting) >> >> >> >> If one pastes this string into the browser https://*cas.mydomain.com* >> /cas/login?TARGET=https://yahoo.com >> <https://cas.mydomain.com/cas/login?TARGET=https://yahoo.com> >> >> >> >> then, after authentication, the browser is redirected without complaint >> to yahoo.com. >> >> >> >> The report said in detail: >> >> >> >> "The application was found to take a URL as a parameter to determine >> where to direct the user. <Consultant> found that this URL can be any value >> allowing an attacker to insert a malicious URL that can be used to redirect >> to an external site before or after authentication. >> >> A link to the login page, containing this URL could therefore be created, >> which can then be sent to a victim (e.g. as an email phishing attack). When >> the victim accesses this link, they are initially sent to the valid site. >> After authentication they can be redirected to a third party site without >> their knowledge. >> >> This second site could be under the control of an attacker, and perform >> such actions as re-requesting their authentication details and performing a >> man-in-the-middle attack between the victim and the client's site, >> ultimately giving the attacker authenticated access to the application." >> >> >> >> My questions are: >> >> 1. Is this a security hole in CAS as suggested by the security auditor? >> >> 2. Is there a workaround that we can implement? >> >> >> >> Regards, >> >> Ganesh >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff33ffe0-cbc0-4b52-89f6-e2a4cf46b939%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff33ffe0-cbc0-4b52-89f6-e2a4cf46b939%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANx%2BuXk%2BxZwSvkqgFYN0Om_PSqFxK_Y2rqgPxzHQzMnNQ%40mail.gmail.com.
