SimpleSAMLphp-Casserver Open Redirect Vulnerability in Logout Endpoint

A moderate open redirect vulnerability has been identified in the SimpleSAMLphp-Casserver module, which is compliant with CAS 1.0 and 2.0. The issue is present in versions prior to 6.3.1 and 7.0.0-rc3. The vulnerability arises because the logout endpoint accepts a 'url' query parameter and treats it as trusted. Depending on the configuration, it either redirects the user to the specified URL or displays a logout confirmation page with a link to that URL. This behavior can be exploited if the 'enable_logout' configuration is set to true, and 'skip_logout_page' is also enabled.

Impact

Exploitation of this vulnerability allows for open redirection, where users can be sent to an external URL of the attacker's choice.

Reproduction

To reproduce this vulnerability, configure SimpleSAMLphp-Casserver with 'enable_logout' set to true and 'skip_logout_page' also enabled. Then, send a POST request to the logout endpoint with a 'url' query parameter pointing to an external site, such as Google. The server will redirect to the specified URL, demonstrating the open redirect vulnerability.

Remediation

Users can upgrade to SimpleSAMLphp-Casserver versions 6.3.1 or 7.0.0 to address this vulnerability.