Hi Andy, I think you're right. I can see the file WEB-INF/classes/services/HTTPSandIMAPS-10000001.json in my deployed directory.
I will follow the instructions you linked to, to disable this. Thanks! Ganesh On Thursday, 27 September 2018 19:15:40 UTC+10, Andy Ng wrote: > > Hi Ganesh, > > There is a default service that will secretly enable all https based > service called "HTTPSandIMAPS-10000001.json" > > https://github.com/apereo/cas/blob/master/webapp/resources/services/HTTPSandIMAPS-10000001.json > > Refer to this to how to disable such service: > > https://groups.google.com/a/apereo.org/forum/#!msg/cas-user/yD9WXk3n1K8/Hy0ssGBiAAAJ;context-place=forum/cas-user > > See if this is your problem? > > Cheers! > - Andy > > > On Thursday, 27 September 2018 15:49:28 UTC+8, Bergner, Arnold wrote: >> >> Hi Ganesh, >> >> >> >> when I submit “/login?TARGET=https://yahoo.com” to our cas v5.2, I get >> an “application not authorized” error, so no redirection is happening. >> >> >> >> Maybe it’s a hole resulting from your service definitions? >> >> >> >> Regards, >> >> Arnold >> >> >> >> *Von:* [email protected] [mailto:[email protected]] *Im Auftrag von >> *Ganesh >> Prasad >> *Gesendet:* Donnerstag, 27. September 2018 08:31 >> *An:* CAS Community <[email protected]> >> *Betreff:* [cas-user] TARGET URL parameter associated with samlValidate >> can be misused to redirect to malicious sites (?) >> >> >> >> Hi, >> >> >> >> We recently commissioned a third-party security audit of our application, >> and one of the findings was this: >> >> >> >> Cross-Site Redirection (Medium Impact, Moderate Difficulty in exploiting) >> >> >> >> If one pastes this string into the browser https://*cas.mydomain.com* >> /cas/login?TARGET=https://yahoo.com >> <https://cas.mydomain.com/cas/login?TARGET=https://yahoo.com> >> >> >> >> then, after authentication, the browser is redirected without complaint >> to yahoo.com. >> >> >> >> The report said in detail: >> >> >> >> "The application was found to take a URL as a parameter to determine >> where to direct the user. <Consultant> found that this URL can be any value >> allowing an attacker to insert a malicious URL that can be used to redirect >> to an external site before or after authentication. >> >> A link to the login page, containing this URL could therefore be created, >> which can then be sent to a victim (e.g. as an email phishing attack). When >> the victim accesses this link, they are initially sent to the valid site. >> After authentication they can be redirected to a third party site without >> their knowledge. >> >> This second site could be under the control of an attacker, and perform >> such actions as re-requesting their authentication details and performing a >> man-in-the-middle attack between the victim and the client's site, >> ultimately giving the attacker authenticated access to the application." >> >> >> >> My questions are: >> >> 1. Is this a security hole in CAS as suggested by the security auditor? >> >> 2. Is there a workaround that we can implement? >> >> >> >> Regards, >> >> Ganesh >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6be7f13b-7aca-44c3-adb8-71229a694a06%40apereo.org.
