I think Andy's right here... when I try this on my CAS server, which does *not* have the wildcard service registry entry, I get (correctly) redirected to the "Application not authorized to use SSO" page.
--Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, Sep 27, 2018 at 5:15 AM Andy Ng <long...@gmail.com> wrote: > Hi Ganesh, > > There is a default service that will secretly enable all https based > service called "HTTPSandIMAPS-10000001.json" > > https://github.com/apereo/cas/blob/master/webapp/resources/services/HTTPSandIMAPS-10000001.json > > Refer to this to how to disable such service: > > https://groups.google.com/a/apereo.org/forum/#!msg/cas-user/yD9WXk3n1K8/Hy0ssGBiAAAJ;context-place=forum/cas-user > > See if this is your problem? > > Cheers! > - Andy > > > On Thursday, 27 September 2018 15:49:28 UTC+8, Bergner, Arnold wrote: >> >> Hi Ganesh, >> >> >> >> when I submit “/login?TARGET=https://yahoo.com” to our cas v5.2, I get >> an “application not authorized” error, so no redirection is happening. >> >> >> >> Maybe it’s a hole resulting from your service definitions? >> >> >> >> Regards, >> >> Arnold >> >> >> >> *Von:* cas-...@apereo.org [mailto:cas-...@apereo.org] *Im Auftrag von *Ganesh >> Prasad >> *Gesendet:* Donnerstag, 27. September 2018 08:31 >> *An:* CAS Community <cas-...@apereo.org> >> *Betreff:* [cas-user] TARGET URL parameter associated with samlValidate >> can be misused to redirect to malicious sites (?) >> >> >> >> Hi, >> >> >> >> We recently commissioned a third-party security audit of our application, >> and one of the findings was this: >> >> >> >> Cross-Site Redirection (Medium Impact, Moderate Difficulty in exploiting) >> >> >> >> If one pastes this string into the browser https://*cas.mydomain.com* >> /cas/login?TARGET=https://yahoo.com >> <https://cas.mydomain.com/cas/login?TARGET=https://yahoo.com> >> >> >> >> then, after authentication, the browser is redirected without complaint >> to yahoo.com. >> >> >> >> The report said in detail: >> >> >> >> "The application was found to take a URL as a parameter to determine >> where to direct the user. <Consultant> found that this URL can be any value >> allowing an attacker to insert a malicious URL that can be used to redirect >> to an external site before or after authentication. >> >> A link to the login page, containing this URL could therefore be created, >> which can then be sent to a victim (e.g. as an email phishing attack). When >> the victim accesses this link, they are initially sent to the valid site. >> After authentication they can be redirected to a third party site without >> their knowledge. >> >> This second site could be under the control of an attacker, and perform >> such actions as re-requesting their authentication details and performing a >> man-in-the-middle attack between the victim and the client's site, >> ultimately giving the attacker authenticated access to the application." >> >> >> >> My questions are: >> >> 1. Is this a security hole in CAS as suggested by the security auditor? >> >> 2. Is there a workaround that we can implement? >> >> >> >> Regards, >> >> Ganesh >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff33ffe0-cbc0-4b52-89f6-e2a4cf46b939%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff33ffe0-cbc0-4b52-89f6-e2a4cf46b939%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANx%2BuXk%2BxZwSvkqgFYN0Om_PSqFxK_Y2rqgPxzHQzMnNQ%40mail.gmail.com.
