By: Gulati Singh user 16 Jan 2019 at 12:46 p.m. CST

1 Response
Gulati Singh gravatar
Description:- Unvalidated redirects helps an attacker to trick the user and make user redirect to malicious or untrusted site. The main cause of this issue is that not whitelisted of subdomains which only belongs to Gluu. An attcker can simply send the provided link to any Gluu user which let's user redirect to malicious site which doesn't belongs to Gluu. Steps to Reproduce:- 1. Go to https://accounts.gluu.org/oxauth/authorize?scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fevil.com%2Fcallback&state=ffqe3h84j67c1u261sfb3nkuo4&nonce=fmrbuqo593n27rm8ieiso8moul&client_id=%40%21A578.3242.DCA8.432A%210001%211DF4.0E33%210008%21BAAF.2347.9FC9.E592 2. If the user is already logged in to his/her gluu account then he/she will get redirect to evil.com 3. But in case the user is not logged in then he/she will redirect to https://accounts.gluu.org/oxauth/login 4. Enter the username and password in the respective field. And click "Login" button. 5. It will redirect to evil.com Impact:- An attacker can trick the victim and get their Gluu login credentials by redirecting to untrusted or malicious site. Solution:- Either restrict the domain or whitelist domain belongs to you. Do let me know if you need more info. Regrads, Gulati

By Michael Schwartz Account Admin 21 Jan 2019 at 2:46 a.m. CST

Michael Schwartz gravatar
This issue has been addressed a while ago in Gluu Server 3.1.4 (current version is 3.1.5). We just haven't updated this server yet.