Signal K Server OAuth2 Redirect URI Manipulation Vulnerability Allowing Authorization Code Theft

A vulnerability in Signal K Server's OpenID Connect (OIDC) login and logout handlers allows for OAuth2 authorization code theft and session hijacking. This issue arises from the use of an unvalidated HTTP Host header to construct the redirect_uri, a critical component in the OIDC flow. The vulnerability affects Signal K Server versions 2.20.0 prior to 2.24.0. By default, the redirectUri configuration is unset, enabling an attacker to spoof the Host header and redirect authorization codes to a malicious domain. This exploitation is facilitated by the server's official documentation, which advises forwarding the Host header through Nginx, thereby amplifying the risk in real-world deployments.

Impact

Exploitation of this vulnerability allows for the theft of OAuth authorization codes, which can be exchanged for tokens to hijack user sessions. Additionally, the logout handler can be exploited to redirect users to a malicious domain after logging out, creating a phishing opportunity.

Reproduction

To reproduce this vulnerability, send a login request to the Signal K Server OIDC login endpoint, injecting a malicious Host header. The server will respond with a redirect to the OIDC provider, but the authorization code will be sent to the domain specified in the spoofed Host header, instead of the legitimate one.

Remediation

Users can upgrade to Signal K Server version 2.24.0 or later, where this vulnerability has been patched.