Univention Bugzilla – Bug 43710
"unsafe" UMCP commands are accessible via "safe" HTTP GET method
Last modified: 2021-06-23 07:29:06 CEST
You introduced an error in the UCR module via commit [r76928]. The command put does not finish the request, there is a simplecommand decorator missing. --------- 8< ---------- var store = require('umc/store'); var ucrStore = store('key', 'ucr'); ucrStore.put({ key: 'umc/web/startupdialog', value: 'false' }); // → the request times out --------- 8< ---------- +++ This bug was initially created as a clone of Bug #39731 +++ There are a lot commands which can be accessed via the HTTP GET method by just opening the URL in the browser. HTTP defines the method GET as "safe" i.e. meaning executing that method doesn't have effects on the state of the resource. That can be a problem because if you are authenticated at UMC calling the following links will cause unsafe actions: Stop the service "ntp": /univention-management-console/command/services/stop?ntp=1 Kill the proccess(es) with pid=23238: /univention-management-console/command/top/kill?signal=SIGKILL&pid=23238&pid=23238 Reboot the system: /univention-management-console/command/updater/installer/reboot Shutdown the system: /univention-management-console/command/lib/server/shutdown (There are some more like reporting a traceback, uploading a traceback, importing a license, remove user quota, upgrade the system to version x.y-z.) Using UDM (e.g. to change a password) seems not possible. As there are url-shorteners or iframes/html framesets this can also be easily used by an attacker. This functionality is used in UCS@school e.g. to display screenshots of computers and in adconnector to download certificates (maybe some more). It's a design problem of UMCP - which drops all important HTTP information (method, headers).
univention-management-console-module-ucr (6.0.1-2): r77317 | Bug #43710: fix response of putting UCR variables
Put-requests work as expected now. -> Verified.
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".