CVE-2014-3590 - User logout susceptible to CSRF attack
|Assigned To:||Daniel Lobato Garcia|
|Target version:||Sprint 29|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/1738|
|Velocity based estimate||-|
I have created page on completely different machine with:
- cat /var/www/html/pub/aaa.html
and once I have loaded it, I was logged-off from webUI.
Reported by Jan Hutař of Red Hat.
Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)
To avoid CSRF, logout is changed to be a POST request so
protect_from_forgery checks the CSRF token. However, in Rails 3 the only
strategy available is to nullify the session of the attacker.
We modify this behavior to raise a Foreman Exception.
This issue is probably worth revisiting on the update to Rails 4 as
throwing an exception is a valid strategy again.
#5 Updated by Marek Hulán over 2 years ago
+1 for devise, but since we have a lot of custom logic, it may be hard to rewrite it as warden strategies. Also devise does not seem to be packaged, it does not have many dependencies but still, another RPMs to maintain. IIRC correctly, katello used devise before enginification so maybe there are some older packages somewhere. Anyway implementing this fix probably shouldn't be a big rewrite.
#7 Updated by Shlomi Zadok over 2 years ago
- Status changed from Assigned to New
I have been looking into this issue.
This happens only on the browser that you are logged in your foreman webUI.
(e.g., if you are on Chrome and logged in a foreman webUI, you will be logged out if you clicked on a logout link on another tab).
The logout link can be on another server (as Dominic described).
This will not happen on another browser (you won't be able to logout a Chrome foreman webUI from FireFox).
Yet, this seems to me as a normal behavior of the browsers, If I am logged out from Facebook on one tab, it will log me out from Facebook on other tabs as well.
As for devise, clearly an issue we should consider in the future.