| Titolo | lemonldap lemonldap-ng ca7af863ac5f60d127ba01e8661c0365be374d4b Open Redirect |
|---|
| Descrizione | Title: Unauthenticated Open Redirect in SAML Common Domain Cookie (CDC) Endpoint
Package: lemonldap-ng
Affected Versions: all versions (confirmed on commit ca7af86, version 2.23.0)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601 -- URL Redirection to Untrusted Site (Open Redirect)
## GitHub Advisory
### Summary
The SAML Common Domain Cookie (CDC) endpoint accepts a base64-encoded URL parameter and issues an unauthenticated HTTP 302 redirect to the decoded URL with no scheme, host, or path validation. Any unauthenticated attacker can use this endpoint to redirect victims to arbitrary external URLs, enabling phishing campaigns that appear to originate from a trusted identity provider domain.
### Details
The vulnerable code is in `lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm:144-167`:
```perl
# Redirect if needed
if ( my $url = $req->param('url') ) {
# Decode URL
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
return $self->sendError( $req, "Bad URL", 400 );
}
my $urldc = decode_base64($url);
# Add CDC IDP in return URL if needed
$urldc .= ( $cdc_idp ? ... : '' );
# Redirect
return $self->sendRedirection( $req, URI->new($urldc)->as_string, );
}
```
The validation at line 147 only checks that the raw `url` parameter contains valid base64 characters (`[A-Za-z0-9+/=]`). This does not validate the decoded URL in any way. After decoding, any URL can be embedded in the Location header, including `https://attacker.example.com` and protocol-relative URLs.
A code comment in the same function at lines 75-80 explicitly acknowledges that URL origin validation was intentionally deferred and never implemented:
```perl
# TODO: Control URL
#my $control_url = $self->_sub('controlUrlOrigin');
#unless ( $control_url == PE_OK ) {
# $self->logger->error( "[CDC] Bad URL");
# return $control_url;
#}
```
By contrast, the main portal's `controlUrl()` method in `lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm:193-208` performs multiple URL safety checks: an XSS attack check (`checkXSSAttack`), a structural URL format check (`URIRE`), and a vhost allowlist check to ensure the redirect target is a protected resource registered in the portal configuration. The CDC module extends `Lemonldap::NG::Common::PSGI`, not the full portal, and has no access to these methods.
The CDC endpoint is a standalone PSGI application designed to be publicly accessible without authentication as part of the SAML federation flow. No session or authentication cookie is required to trigger the redirect.
### PoC
1. Encode any external URL in base64. For example, `https://attacker.example.com` encodes to `aHR0cHM6Ly9hdHRhY2tlci5leGFtcGxlLmNvbQ==`.
2. Send a request to the CDC endpoint (typically deployed at `/cdc` or `/lemonldap-ng/cdc`):
```
GET /cdc?action=read&url=aHR0cHM6Ly9hdHRhY2tlci5leGFtcGxlLmNvbQ== HTTP/1.1
Host: sso.your-org.example.com
```
3. The server responds with:
```
HTTP/1.1 302 Found
Location: https://attacker.example.com
```
The `action` parameter is not required to trigger the redirect; only `url` is needed. The redirect fires whenever `url` is present, regardless of whether `action=read` is also set.
### Impact
When the SAML Common Domain Cookie feature is enabled, any unauthenticated attacker can use the organization's SSO server hostname to redirect users to attacker-controlled websites. Because the initial request is made to the trusted identity provider domain (e.g., `sso.corp.example.com`), victims and security tools may not detect the redirect as malicious. This technique is commonly used for:
- Credential phishing pages that follow SSO brand conventions
- OAuth or SAML token theft by staging fake service provider pages
- Bypassing browser-based URL filters that allowlist the SSO domain |
|---|
| Fonte | ⚠️ https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng |
|---|
| Utente | geochen (UID 78995) |
|---|
| Sottomissione | 23/05/2026 10:24 (1 mese fa) |
|---|
| Moderazione | 21/06/2026 06:09 (29 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 372598 [lemonldap-ng fino a 2.23.0 SAML Common Domain Cookie Endpoint CDC.pm url Redirect] |
|---|
| Punti | 20 |
|---|