Bug #6999: CVE-2014-3590 - User logout susceptible to CSRF attack - Foreman

Custom queries

3.10.0 release DONE
3.10.0 release TODO
3.11.0 release DONE
3.11.0 release TODO
3.8.1 release DONE
3.8.1 release TODO
3.9.2 release DONE
3.9.2 release TODO
All bugs by votes
All issues closed in the last 3 weeks
Easy and Trivial Issues
Easy Issues (only)
Foreman - new open issues in last 10 days
Good first issues - Foreman core
high prio open bugs
Host registration [open]
Mine
My issues closed in the last 3 weeks
old bugs
Open with target version set (aka blockers)
registration
taken-none
Team Atlas untriaged bugs
templates
Trivial Issues
Untriaged and opened in the past two weeks

Actions

Copy link

Bug #6999

closed

CVE-2014-3590 - User logout susceptible to CSRF attack

Added by Dominic Cleal over 9 years ago. Updated almost 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Daniel Lobato Garcia

Category:

Security

Target version:

1.6.1

Difficulty:

Triaged:

Bugzilla link:

1110359

Pull request:

https://github.com/theforeman/foreman/pull/1738

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

I have created page on completely different machine with:

cat /var/www/html/pub/aaa.html
<html>
<body>
<img src='https://foreman.example.com/users/logout'/>
</body>
</html>

and once I have loaded it, I was logged-off from webUI.

Reported by Jan Hutař of Red Hat.

Related issues 2 (0 open — 2 closed)

	Related to Foreman - Bug #7736: Change to prevent unauthenticated requests for CSRF modified login behaviour as well	Rejected		09/29/2014			Actions
	Related to Foreman - Bug #7737: Change for issue 6999 broke logout for PAM-based (intercept) authentication	Closed		09/29/2014			Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Dominic Cleal over 9 years ago

Subject changed from User logout susceptible to CSRF attack to CVE-2014-3590 - User logout susceptible to CSRF attack

CVE-2014-3590 has been assigned for this issue.

Actions

Copy link

Updated by Anonymous over 9 years ago

Target version changed from 1.7.5 to 1.7.4

Actions

Copy link

Updated by Shlomi Zadok over 9 years ago

Assignee set to Shlomi Zadok

Actions

Copy link

Updated by Shlomi Zadok over 9 years ago

We should consider moving to devise (https://github.com/plataformatec/devise)

Actions

Copy link

Updated by Marek Hulán over 9 years ago

+1 for devise, but since we have a lot of custom logic, it may be hard to rewrite it as warden strategies. Also devise does not seem to be packaged, it does not have many dependencies but still, another RPMs to maintain. IIRC correctly, katello used devise before enginification so maybe there are some older packages somewhere. Anyway implementing this fix probably shouldn't be a big rewrite.

Actions

Copy link

Updated by Dominic Cleal over 9 years ago

Status changed from New to Assigned

Actions

Copy link

Updated by Shlomi Zadok over 9 years ago

Status changed from Assigned to New

I have been looking into this issue.
This happens only on the browser that you are logged in your foreman webUI.
(e.g., if you are on Chrome and logged in a foreman webUI, you will be logged out if you clicked on a logout link on another tab).
The logout link can be on another server (as Dominic described).

This will not happen on another browser (you won't be able to logout a Chrome foreman webUI from FireFox).

Yet, this seems to me as a normal behavior of the browsers, If I am logged out from Facebook on one tab, it will log me out from Facebook on other tabs as well.

As for devise, clearly an issue we should consider in the future.

Actions

Copy link