RH-SSO does not validate the URL redirection to untrusted site during logout
Issue
- RH-SSO does not seem to correctly validate the URL as a valid/safe url to redirect the user to. This can be seen as potential security issue.
Environment
- Red Hat Single Sign-On (RH-SSO)
- 7
- Logout
- Redirecting user to a different URL, by indicating in the parameter
redirect_uri
the fake URL to redirect the user to - For example:
http://localhost:8080/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http://www.unsafewebsite.com
- Redirecting user to a different URL, by indicating in the parameter
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.