Description Alexander Kläser 2017-03-03 10:55:16 CET

You introduced an error in the UCR module via commit [r76928]. The command put does not finish the request, there is a simplecommand decorator missing.

--------- 8< ----------
var store = require('umc/store');
var ucrStore = store('key', 'ucr');
ucrStore.put({
  key: 'umc/web/startupdialog',
  value: 'false'
});
// → the request times out
--------- 8< ----------


+++ This bug was initially created as a clone of Bug #39731 +++

There are a lot commands which can be accessed via the HTTP GET method by just opening the URL in the browser. HTTP defines the method GET as "safe" i.e. meaning executing that method doesn't have effects on the state of the resource.

That can be a problem because if you are authenticated at UMC calling the following links will cause unsafe actions:

Stop the service "ntp":
/univention-management-console/command/services/stop?ntp=1

Kill the proccess(es) with pid=23238:
/univention-management-console/command/top/kill?signal=SIGKILL&pid=23238&pid=23238

Reboot the system:
/univention-management-console/command/updater/installer/reboot

Shutdown the system:
/univention-management-console/command/lib/server/shutdown

(There are some more like reporting a traceback, uploading a traceback, importing a license, remove user quota, upgrade the system to version x.y-z.)
Using UDM (e.g. to change a password) seems not possible.

As there are url-shorteners or iframes/html framesets this can also be easily used by an attacker.

This functionality is used in UCS@school e.g. to display screenshots of computers and in adconnector to download certificates (maybe some more).

It's a design problem of UMCP - which drops all important HTTP information (method, headers).