Bug #6999
closed
CVE-2014-3590 - User logout susceptible to CSRF attack
Description
I have created page on completely different machine with:
- cat /var/www/html/pub/aaa.html
<html>
<body>
<img src='https://foreman.example.com/users/logout'/>
</body>
</html>
and once I have loaded it, I was logged-off from webUI.
Reported by Jan Hutař of Red Hat.
Updated by Dominic Cleal over 9 years ago
- Subject changed from User logout susceptible to CSRF attack to CVE-2014-3590 - User logout susceptible to CSRF attack
CVE-2014-3590 has been assigned for this issue.
Updated by Anonymous over 9 years ago
- Target version changed from 1.7.5 to 1.7.4
Updated by Shlomi Zadok over 9 years ago
We should consider moving to devise (https://github.com/plataformatec/devise)
Updated by Marek Hulán over 9 years ago
+1 for devise, but since we have a lot of custom logic, it may be hard to rewrite it as warden strategies. Also devise does not seem to be packaged, it does not have many dependencies but still, another RPMs to maintain. IIRC correctly, katello used devise before enginification so maybe there are some older packages somewhere. Anyway implementing this fix probably shouldn't be a big rewrite.
Updated by Shlomi Zadok over 9 years ago
- Status changed from Assigned to New
I have been looking into this issue.
This happens only on the browser that you are logged in your foreman webUI.
(e.g., if you are on Chrome and logged in a foreman webUI, you will be logged out if you clicked on a logout link on another tab).
The logout link can be on another server (as Dominic described).
This will not happen on another browser (you won't be able to logout a Chrome foreman webUI from FireFox).
Yet, this seems to me as a normal behavior of the browsers, If I am logged out from Facebook on one tab, it will log me out from Facebook on other tabs as well.
As for devise, clearly an issue we should consider in the future.
Updated by Dominic Cleal over 9 years ago
It's a CSRF attack though, that's a preventable behaviour with CSRF tokens etc, in the same way that forms are protected.
Updated by Dominic Cleal over 9 years ago
- translation missing: en.field_release changed from 20 to 22
Updated by Daniel Lobato Garcia over 9 years ago
- Assignee changed from Shlomi Zadok to Daniel Lobato Garcia
Updated by The Foreman Bot over 9 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/1738 added
- Pull request deleted (
)
Updated by Anonymous over 9 years ago
- Target version changed from 1.7.4 to 1.7.3
Updated by Daniel Lobato Garcia over 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 4e3a7e7a2a542435686a667773eafc73c92e557b.
Updated by Dominic Cleal over 9 years ago
- Related to Bug #7736: Change to prevent unauthenticated requests for CSRF modified login behaviour as well added
Updated by Marek Hulán over 9 years ago
- Related to Bug #7737: Change for issue 6999 broke logout for PAM-based (intercept) authentication added