How can that happen? Normally, only registered service urls are allowed to use Cas. Cas logout is initiated from these applications. So how can an attacker inject a malicious logout redirect URL?
Does the same problem apply for the service parameter on logout? Von meinem iPhone gesendet Am 02.05.2012 um 19:48 schrieb "jleleu" <[email protected]>: > Hi, > > XML escaping, nor "http:(s)" check won't protect you against malicious > redirect urls like Marvin wrote : > https://cas.example.com/cas/logout?url=https://thepiratebay.se. > > We faced the same problem and we had to check the host of the redirect url to > avoid security breach and unwanted redirections. You could do that with > regexp pattern matching or simple String.startsWith test (if > url.startsWith("http://www.authorizedurl.com/";)). > > Best regards, > Jérôme > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
