Project

General

Profile

Bug #6999

CVE-2014-3590 - User logout susceptible to CSRF attack

Added by Dominic Cleal over 8 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Daniel Lobato Garcia
Category:
Security
Target version:
1.6.1
Difficulty:
Triaged:
Bugzilla link:
1110359
Pull request:
https://github.com/theforeman/foreman/pull/1738
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

I have created page on completely different machine with:

  1. cat /var/www/html/pub/aaa.html
    <html>
    <body>
    <img src='https://foreman.example.com/users/logout'/>
    </body>
    </html>

and once I have loaded it, I was logged-off from webUI.

Reported by Jan Hutař of Red Hat.

Related issues

Related to Foreman - Bug #7736: Change to prevent unauthenticated requests for CSRF modified login behaviour as wellRejected2014-09-29
Related to Foreman - Bug #7737: Change for issue 6999 broke logout for PAM-based (intercept) authenticationClosed2014-09-29

Associated revisions

Revision 4e3a7e7a (diff)
Added by Daniel Lobato Garcia over 8 years ago

Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)

To avoid CSRF, logout is changed to be a POST request so
protect_from_forgery checks the CSRF token. However, in Rails 3 the only
strategy available is to nullify the session of the attacker.
We modify this behavior to raise a Foreman Exception.
This issue is probably worth revisiting on the update to Rails 4 as
throwing an exception is a valid strategy again.

Revision 4692b6bd (diff)
Added by Daniel Lobato Garcia over 8 years ago

Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)

To avoid CSRF, logout is changed to be a POST request so
protect_from_forgery checks the CSRF token. However, in Rails 3 the only
strategy available is to nullify the session of the attacker.
We modify this behavior to raise a Foreman Exception.
This issue is probably worth revisiting on the update to Rails 4 as
throwing an exception is a valid strategy again.

(cherry picked from commit 4e3a7e7a2a542435686a667773eafc73c92e557b)

History

#1 Updated by Dominic Cleal over 8 years ago

  • Subject changed from User logout susceptible to CSRF attack to CVE-2014-3590 - User logout susceptible to CSRF attack

CVE-2014-3590 has been assigned for this issue.

#2 Updated by Anonymous over 8 years ago

  • Target version changed from 1.7.5 to 1.7.4

#3 Updated by Shlomi Zadok over 8 years ago

  • Assignee set to Shlomi Zadok

#4 Updated by Shlomi Zadok over 8 years ago

We should consider moving to devise (https://github.com/plataformatec/devise)

#5 Updated by Marek Hulán over 8 years ago

+1 for devise, but since we have a lot of custom logic, it may be hard to rewrite it as warden strategies. Also devise does not seem to be packaged, it does not have many dependencies but still, another RPMs to maintain. IIRC correctly, katello used devise before enginification so maybe there are some older packages somewhere. Anyway implementing this fix probably shouldn't be a big rewrite.

#6 Updated by Dominic Cleal over 8 years ago

  • Status changed from New to Assigned

#7 Updated by Shlomi Zadok over 8 years ago

  • Status changed from Assigned to New

I have been looking into this issue.
This happens only on the browser that you are logged in your foreman webUI.
(e.g., if you are on Chrome and logged in a foreman webUI, you will be logged out if you clicked on a logout link on another tab).
The logout link can be on another server (as Dominic described).

This will not happen on another browser (you won't be able to logout a Chrome foreman webUI from FireFox).

Yet, this seems to me as a normal behavior of the browsers, If I am logged out from Facebook on one tab, it will log me out from Facebook on other tabs as well.

As for devise, clearly an issue we should consider in the future.

#8 Updated by Dominic Cleal over 8 years ago

It's a CSRF attack though, that's a preventable behaviour with CSRF tokens etc, in the same way that forms are protected.

#9 Updated by Dominic Cleal over 8 years ago

  • Legacy Backlogs Release (now unused) changed from 20 to 22

#10 Updated by Daniel Lobato Garcia over 8 years ago

  • Assignee changed from Shlomi Zadok to Daniel Lobato Garcia

#11 Updated by The Foreman Bot over 8 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/1738 added
  • Pull request deleted ()

#12 Updated by Anonymous over 8 years ago

  • Target version changed from 1.7.4 to 1.7.3

#13 Updated by Daniel Lobato Garcia over 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#14 Updated by Dominic Cleal over 8 years ago

  • Related to Bug #7736: Change to prevent unauthenticated requests for CSRF modified login behaviour as well added

#15 Updated by Marek Hulán over 8 years ago

  • Related to Bug #7737: Change for issue 6999 broke logout for PAM-based (intercept) authentication added

Also available in: Atom PDF