Univention Bugzilla – Bug 38820
UMC-Webserver: Cross-Site-Cooking
Last modified: 2021-06-23 07:29:07 CEST
The UMCSessionId Cookie is not restricted to /umcp/ and /univention-management-console/ which leads to the possibility of Cross-Site-Cooking attacks. Of course also /owncloud/ or /~user/ will receive that cookie. E.g. https://billy/~fbest/xss2.html will give me the session if you were logged in recently.
(In reply to Florian Best from comment #0) > The UMCSessionId Cookie is not restricted to /umcp/ and > /univention-management-console/ which leads to the possibility of > Cross-Site-Cooking attacks. > > Of course also /owncloud/ or /~user/ will receive that cookie. > > E.g. https://billy/~fbest/xss2.html will give me the session if you were > logged in recently. True! However, you still need the same IP address in order to access UMC.
If we would set the cookie to /umcp/ we could not access it anymore via javascript as the javascript runs underneath of /univention-management-console/. To fix this we must have access to all Cookies via one! common subpath. Therefore we will change /umcp/.* to /univention-management-console/$1. The cookie.path will be set to "/univention-management-console/" which includes all UMCP-pathes then so that we can use it via Javascript. The fallback /umcp/ will still be available for cross-host-requests. We need to redirect /umcp/-requests internally and can't change it to a 401 HTTP permanent redirect as various libs (e.g. univention.lib.umc_connection) which doesn't follow redirects would break. → (global appcenter, ucs-test) Moving this bug to UCS 4.1 as the change it too big for an erratum.
All cookie path's have been adjusted to use /univention-management-console/. /umcp/ is still reachable (only for compatibility reasons with the global appcenter in mixed UCS domains) but should not be used anymore. We observed a problem during the update if one does a page reload without apache configuration being reloaded (as questioned by the ask-restart-dialog) because the new JS frontend requests /univention-management-console/auth instead of /umcp/auth while this is not yet available. This problem doesn't occur anymore when Bug #39476 is fixed.
Works. /umcp/ still found in: management/univention-management-console/doc/http.rst lib/umc_connection.py may be updated when 3.x is out of maintenance... Please change the rst file. Otherwise VERIFIED
(In reply to Dirk Wiesenthal from comment #4) > Works. > > /umcp/ still found in: > management/univention-management-console/doc/http.rst > > lib/umc_connection.py may be updated when 3.x is out of maintenance... :( (or we backport the necessary apache config in a 3.x and 4.0-x erratum ^^) > Please change the rst file. Otherwise VERIFIED :D well, you shouldn't really use that old documentation but yes, I changed the string.
OK
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".