SECURITY ADVISORY WSO2-2023-2972

Published: December 16, 2024

Version: 1.0.0

Severity: Low

CVSS Score: 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)


AFFECTED PRODUCTS

  • WSO2 API Manager : 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0
  • WSO2 Identity Server : 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
  • WSO2 Identity Server as Key Manager : 5.10.0

OVERVIEW

Potential open redirection vulnerability has been identified in the Logout flow.

DESCRIPTION

Due to the lack of validation in the logout url parameter, users could be redirected to the attacker control environment after the logging out.

IMPACT

During the logout flow, users may be redirected to an attacker-controlled page, where a phishing attack could be executed to obtain sensitive information or cause harm. However, this is only possible under specific preconditions.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:

Further, It is required to add the below configuration lines into the deployment.toml file for enabling logout flow redirection URL validation, along with given public PR.

[common_auth_caller_path]
enable_common_auth_caller_path_validation=true
In addition, it is necessary to configure the default redirection URL for redirecting the user in case logout flow redirection URL validation fails during deployment. To do this, please follow the steps below. * To apply logout flow redirection url validation globally in WSO2 Products, add the respective URL to the “default_url” parameter as mentioned below.
[common_auth_caller_path]
enable_common_auth_caller_path_validation=true
default_url=""
Please note that if the “default_url” is not configured, the user will be redirected to the default logout page of the WSO2 Server.

Moreover, to set the logout flow redirection URL validation value, add the respective URL or Regex information to the 'Logout Return URL or regex' parameter on the Management console under the following location: Management Console > Identity > Service Providers > Basic Information > Logout Return URL or regex

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.