Hi Ganesh, There is a default service that will secretly enable all https based service called "HTTPSandIMAPS-10000001.json" https://github.com/apereo/cas/blob/master/webapp/resources/services/HTTPSandIMAPS-10000001.json
Refer to this to how to disable such service: https://groups.google.com/a/apereo.org/forum/#!msg/cas-user/yD9WXk3n1K8/Hy0ssGBiAAAJ;context-place=forum/cas-user See if this is your problem? Cheers! - Andy On Thursday, 27 September 2018 15:49:28 UTC+8, Bergner, Arnold wrote: > > Hi Ganesh, > > > > when I submit “/login?TARGET=https://yahoo.com” to our cas v5.2, I get an > “application not authorized” error, so no redirection is happening. > > > > Maybe it’s a hole resulting from your service definitions? > > > > Regards, > > Arnold > > > > *Von:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *Im Auftrag von *Ganesh Prasad > *Gesendet:* Donnerstag, 27. September 2018 08:31 > *An:* CAS Community <[email protected] <javascript:>> > *Betreff:* [cas-user] TARGET URL parameter associated with samlValidate > can be misused to redirect to malicious sites (?) > > > > Hi, > > > > We recently commissioned a third-party security audit of our application, > and one of the findings was this: > > > > Cross-Site Redirection (Medium Impact, Moderate Difficulty in exploiting) > > > > If one pastes this string into the browser https://*cas.mydomain.com* > /cas/login?TARGET=https://yahoo.com > <https://cas.mydomain.com/cas/login?TARGET=https://yahoo.com> > > > > then, after authentication, the browser is redirected without complaint to > yahoo.com. > > > > The report said in detail: > > > > "The application was found to take a URL as a parameter to determine > where to direct the user. <Consultant> found that this URL can be any value > allowing an attacker to insert a malicious URL that can be used to redirect > to an external site before or after authentication. > > A link to the login page, containing this URL could therefore be created, > which can then be sent to a victim (e.g. as an email phishing attack). When > the victim accesses this link, they are initially sent to the valid site. > After authentication they can be redirected to a third party site without > their knowledge. > > This second site could be under the control of an attacker, and perform > such actions as re-requesting their authentication details and performing a > man-in-the-middle attack between the victim and the client's site, > ultimately giving the attacker authenticated access to the application." > > > > My questions are: > > 1. Is this a security hole in CAS as suggested by the security auditor? > > 2. Is there a workaround that we can implement? > > > > Regards, > > Ganesh > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff33ffe0-cbc0-4b52-89f6-e2a4cf46b939%40apereo.org.
