By: Doug Harris named 27 Aug 2020 at 10:22 a.m. CDT

2 Responses
Doug Harris gravatar
Our testing has identified a somewhat obscure redirect vulnerability in `AuthorizeRestWebServiceImpl.java`. As you know, section [3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) of the spec says: *Unless the Redirection URI is invalid*, the Authorization Server returns the Client to the Redirection URI specified in the Authorization Request with the appropriate error and state parameters. We have discovered that it is possible to have oxAuth redirect the client to an arbitrary URL as follows: 1. Log in normally using a valid authentication request 2. Send a second authentication request in which the value of the `acr_values` parameter is something invalid/unsupported and the value of `redirect_uri` is not one registered to the client. In this case, the unsupported `acr` causes oxAuth to throw an AcrChangedException before the redirect_uri has been validated, and the [exception handler](https://github.com/GluuFederation/oxAuth/blob/210c9462b14146a97b34860e600945204098bbc1/Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java#L669-L678) then redirects the browser to the unvalidated URL. We discovered this in 4.1, but I have also been able to reproduce it in 4.2.

By Yuriy Zabrovarnyy staff 27 Aug 2020 at 10:44 a.m. CDT

Yuriy Zabrovarnyy gravatar
Thanks for the report, we will check in detail.

By Yuriy Zabrovarnyy staff 28 Aug 2020 at 2:18 a.m. CDT

Yuriy Zabrovarnyy gravatar
It will be fixed in 4.2.1 within https://github.com/GluuFederation/oxAuth/issues/1456