Univention Bugzilla – Bug 43845
Disable UMC security mechanism when upgrading from UCS 4.1
Last modified: 2021-06-23 07:29:10 CEST
In UCS 4.2 several new security enforcements are done in UMC which are backwards incompatible due to adding proprietary XSRF-Protection HTTP mechanisms. Bug #39731. This is incompatible with mixed environments of UCS 4.1, e.g. for the following cases: * Installing UCS@school * Joining a Windows Computer in a UCS@school multiserver environment * using the global App-Center * writing a exam in UCS@school * (changing the IP Address of a DC Slave/Memberserver) * using the Self-Service Therefore we should disable these security checks for Systems which are upgrading from UCS 4.1.
univention-management-console (9.0.61-1): r77689 | Bug #43845: disable security restrictions when upgrading from UCS 4.1
univention-management-console (9.0.75-1): r78314 | Bug #43845: fix interted boolean logic
What I tested: ucr key: on updated system: umc/server/disable-security-restrictions -> true -> OK on fresh install: umc/server/disable-security-restrictions -> not set -> OK curl: against fresh installed system (umc/server/disable-security-restrictions unset): curl without X-XSRF-Protection -> failed -> OK curl with X-XSRF-Protection -> ok -> OK against updated system (umc/server/disable-security-restrictions=true): curl without X-XSRF-Protection -> ok -> OK curl with X-XSRF-Protection -> ok -> OK Changelog -> not required -> OK All OK -> Verified
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".
for findability: Cross Site Request Forgery attack detected. Please provide the "UMCSessionId" cookie value as HTTP request header "X-Xsrf-Protection".