diff --git a/SOURCES/0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch b/SOURCES/0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch new file mode 100644 index 0000000..7f5971a --- /dev/null +++ b/SOURCES/0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch @@ -0,0 +1,49 @@ +From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001 +From: Olav Morken +Date: Wed, 25 Jul 2018 12:19:39 +0200 +Subject: [PATCH] Fix incorrect header used for detecting AJAX requests + +The code was looking for "X-Request-With", but the header is actually +"X-Requested-With". As far as I can tell, it has always been the +latter, at least in the jQuery source code. + +Fixes issue #174. +--- + README.md | 2 +- + auth_mellon_handler.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/README.md b/README.md +index 0a91dc5..8d85b43 100644 +--- a/README.md ++++ b/README.md +@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off + # then we will redirect him to the login page of the IdP. + # + # There is a special handling of AJAX requests, that are +- # identified by the "X-Request-With: XMLHttpRequest" HTTP ++ # identified by the "X-Requested-With: XMLHttpRequest" HTTP + # header. Since no user interaction can happen there, + # we always fail unauthenticated (not logged in) requests + # with a 403 Forbidden error without redirecting to the IdP. +diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c +index b16dc45..e33e6e9 100644 +--- a/auth_mellon_handler.c ++++ b/auth_mellon_handler.c +@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r) + * If this is an AJAX request, we cannot proceed to the IdP, + * Just fail early to save our resources + */ +- ajax_header = apr_table_get(r->headers_in, "X-Request-With"); ++ ajax_header = apr_table_get(r->headers_in, "X-Requested-With"); + if (ajax_header != NULL && + strcmp(ajax_header, "XMLHttpRequest") == 0) { + AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r, +- "Deny unauthenticated X-Request-With XMLHttpRequest " ++ "Deny unauthenticated X-Requested-With XMLHttpRequest " + "(AJAX) request"); + return HTTP_FORBIDDEN; + } +-- +2.20.1 + diff --git a/SOURCES/0004-CVE_2019_13038.patch b/SOURCES/0004-CVE_2019_13038.patch new file mode 100644 index 0000000..f04a4e4 --- /dev/null +++ b/SOURCES/0004-CVE_2019_13038.patch @@ -0,0 +1,28 @@ +From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001 +From: Valentin +Date: Fri, 6 Sep 2019 13:30:36 +0300 +Subject: [PATCH] Update auth_mellon_mode.c + +Fix open redirect CVE-2019-13038 +--- + auth_mellon_util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index fd442f9..7dff61e 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url) + + /* Sanity check of the scheme of the domain. We only allow http and https. */ + if (uri.scheme) { ++ /* http and https schemes without hostname are invalid. */ ++ if (!uri.hostname) { ++ return HTTP_BAD_REQUEST; ++ } + if (strcasecmp(uri.scheme, "http") + && strcasecmp(uri.scheme, "https")) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, +-- +2.21.0 + diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index 61ae66c..d368414 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.14.0 -Release: 2%{?dist}.4 +Release: 8%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -23,6 +23,8 @@ Url: https://github.com/UNINETT/mod_auth_mellon Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch +Patch0003: 0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch +Patch0004: 0004-CVE_2019_13038.patch # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However, # I could not get asciidoc to render properly so instead I generated @@ -39,6 +41,8 @@ received in assertions generated by a IdP server. %setup -q -n %{name}-%{version} %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build export APXS=%{_httpd_apxs} @@ -110,23 +114,33 @@ in the doc directory for instructions on using the diagnostics build. %dir /run/%{name}/ %changelog -* Mon Apr 8 2019 Jakub Hrozek - 0.14.0-2.4 -- Actually apply the patch in the previous build -- Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect +* Wed Oct 9 2019 Jakub Hrozek - 0.14.0-8 +- Resolves: rhbz#1731052 - CVE-2019-13038 mod_auth_mellon: an Open Redirect via + the login?ReturnTo= substring which could facilitate + information theft [rhel-7] + +* Tue Aug 6 2019 Jakub Hrozek - 0.14.0-7 +- Resolves: rhbz#1727789 - mod_auth_mellon fix for AJAX header name + X-Requested-With + +* Tue Apr 2 2019 Jakub Hrozek - 0.14.0-6 +- Apply the patch from the previous commit +- Resolves: rhbz#1692470 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes + [rhel-7] -* Mon Apr 8 2019 Jakub Hrozek - 0.14.0-2.3 -- Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect +* Tue Apr 2 2019 Jakub Hrozek - 0.14.0-5 +- Resolves: rhbz#1692470 - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes - [rhel-7] [rhel-7.6.z] + [rhel-7] -* Mon Apr 8 2019 Jakub Hrozek - 0.14.0-2.2 -- Resolves: rhbz#1697487 - mod_auth_mellon Cert files name wrong when - hostname contains a number +* Fri Mar 22 2019 Jakub Hrozek - 0.14.0-4 +- Resolves: rhbz#1576719 - ECP flow not triggering, instead client access + secured resources without ECP authentication -* Fri Mar 22 2019 Jakub Hrozek - 0.14.0-2.1 -- Resolves: rhbz#1692455 - CVE-2019-3878 mod_auth_mellon: authentication - bypass in ECP flow [rhel-7.6.z] +* Tue Mar 5 2019 Jakub Hrozek - 0.14.0-3 +- Resolves: rhbz#1652980 - mod_auth_mellon Cert files name wrong when + hostname contains a number * Fri Jun 1 2018 - 0.14.0-2 - Resolves: rhbz#1553885