Bug #6999

CVE-2014-3590 - User logout susceptible to CSRF attack

Added by Dominic Cleal about 3 years ago. Updated almost 3 years ago.

Status:Closed
Priority:Normal
Assigned To:Daniel Lobato Garcia
Category:Security
Target version:Sprint 29
Difficulty: Bugzilla link:1110359
Found in release: Pull request:https://github.com/theforeman/foreman/pull/1738
Story points-
Velocity based estimate-
Release1.6.1Release relationshipAuto

Description

I have created page on completely different machine with:

  1. cat /var/www/html/pub/aaa.html
    <html>
    <body>
    <img src='https://foreman.example.com/users/logout'/>
    </body>
    </html>

and once I have loaded it, I was logged-off from webUI.

Reported by Jan Hutař of Red Hat.


Related issues

Related to Foreman - Bug #7736: Change to prevent unauthenticated requests for CSRF modif... Rejected 09/29/2014
Related to Foreman - Bug #7737: Change for issue 6999 broke logout for PAM-based (interce... Closed 09/29/2014

Associated revisions

Revision 4e3a7e7a
Added by Daniel Lobato Garcia almost 3 years ago

Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)

To avoid CSRF, logout is changed to be a POST request so
protect_from_forgery checks the CSRF token. However, in Rails 3 the only
strategy available is to nullify the session of the attacker.
We modify this behavior to raise a Foreman Exception.
This issue is probably worth revisiting on the update to Rails 4 as
throwing an exception is a valid strategy again.

History

#1 Updated by Dominic Cleal about 3 years ago

  • Subject changed from User logout susceptible to CSRF attack to CVE-2014-3590 - User logout susceptible to CSRF attack

CVE-2014-3590 has been assigned for this issue.

#2 Updated by Dmitri Dolguikh almost 3 years ago

  • Target version changed from Sprint 27 to Sprint 28

#3 Updated by Shlomi Zadok almost 3 years ago

  • Assigned To set to Shlomi Zadok

#4 Updated by Shlomi Zadok almost 3 years ago

We should consider moving to devise (https://github.com/plataformatec/devise)

#5 Updated by Marek Hulán almost 3 years ago

+1 for devise, but since we have a lot of custom logic, it may be hard to rewrite it as warden strategies. Also devise does not seem to be packaged, it does not have many dependencies but still, another RPMs to maintain. IIRC correctly, katello used devise before enginification so maybe there are some older packages somewhere. Anyway implementing this fix probably shouldn't be a big rewrite.

#6 Updated by Dominic Cleal almost 3 years ago

  • Status changed from New to Assigned

#7 Updated by Shlomi Zadok almost 3 years ago

  • Status changed from Assigned to New

I have been looking into this issue.
This happens only on the browser that you are logged in your foreman webUI.
(e.g., if you are on Chrome and logged in a foreman webUI, you will be logged out if you clicked on a logout link on another tab).
The logout link can be on another server (as Dominic described).

This will not happen on another browser (you won't be able to logout a Chrome foreman webUI from FireFox).

Yet, this seems to me as a normal behavior of the browsers, If I am logged out from Facebook on one tab, it will log me out from Facebook on other tabs as well.

As for devise, clearly an issue we should consider in the future.

#8 Updated by Dominic Cleal almost 3 years ago

It's a CSRF attack though, that's a preventable behaviour with CSRF tokens etc, in the same way that forms are protected.

#9 Updated by Dominic Cleal almost 3 years ago

  • Release changed from 1.5.3 to 1.6.1

#10 Updated by Daniel Lobato Garcia almost 3 years ago

  • Assigned To changed from Shlomi Zadok to Daniel Lobato Garcia

#11 Updated by The Foreman Bot almost 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/1738 added

#12 Updated by Dmitri Dolguikh almost 3 years ago

  • Target version changed from Sprint 28 to Sprint 29

#13 Updated by Daniel Lobato Garcia almost 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#14 Updated by Dominic Cleal almost 3 years ago

  • Related to Bug #7736: Change to prevent unauthenticated requests for CSRF modified login behaviour as well added

#15 Updated by Marek Hulán almost 3 years ago

  • Related to Bug #7737: Change for issue 6999 broke logout for PAM-based (intercept) authentication added

Also available in: Atom PDF