locked
UAG 2010 SP1 redirection issue RRS feed

All replies

  • Hi Ajayt,

    i can confirm this redirect issue. It has indeed a good phishing potential, when the user gets redirected to a second external login.asp which presents a login denied message and gives oportunity to try again. If the external site would redirect to the first URL then the users will most likely don't notice the phishing attack since the user will finally got site access^^

    My first thought was to write a custom postpostvalidate.inc code to check if the orig_url contains external URLs. But it seems on the first look, that other sites (e.g. initparms.aspx) can be missused to redirect before the user logs in and therefore would bypass the postpostvalidate.inc code :(

    Thanks for reporting! Hope the Devs will address this isuue soon.

    -Kai

    Wednesday, September 7, 2011 2:45 AM
  • Thanks, Kai, for confirming that I am not the only one to see this issue. What is suprising is that there was a hotfix that was released to supposedly fix this issue (http://technet.microsoft.com/en-us/security/bulletin/MS10-089). This hotfix was also supposedly included in SP1. I have tested three servers, all with this hotfix as well as SP1 installed, still having this redirection vulnerability.
    Ajay
    Wednesday, September 7, 2011 1:19 PM
  • Hi Ajay,

    yep, the behavior is pretty much the same as described in "CVE-2010-2732 - Redirection Spoofing" Exploit in UAG". Either the original glitch is back, or its a new - but similiar  - one?

    Maybe someone at Microsoft could clarify this. But i guess they aren't allowed to talk about because of their responsible disclosure agreement.

    -Kai

    Wednesday, September 7, 2011 1:29 PM