Bug 44564 – X-XRSF-Protection attack false detected when URL contains the port

Bug 44564 - X-XRSF-Protection attack false detected when URL contains the port


Summary:	X-XRSF-Protection attack false detected when URL contains the port

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-0-errata
Assigned To:	Florian Best
QA Contact:	Richard Ulmer

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-05-09 13:04 CEST by Florian Best
Modified:	2017-06-15 17:58 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.429
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017050721000149, 2017052321000511
Bug group (optional):	External feedback
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
Screenshot (76.37 KB, image/png) 2017-05-09 13:04 CEST, Florian Best	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2017-05-09 13:04:35 CEST

Created attachment 8827 [details]
Screenshot

For newly installed UCS 4.2 systems which access UMC via http://host:8443/univention/management/ the UMC is unusable because it detects a XSRF-Attack.

This is because the UMC-Webserver uses the Cookie UMCSessionId-$port if a port is available but the UMC-Server is not aware of any port and always checks for the value of "UMCSessionId" and therefore detects a XSRF-Attack because "" != "some-session-id".

Attached is a Screenshot how it looks. No UMC module can be used for due to this.

Comment 1 Florian Best

2017-05-09 13:08:51 CEST

univention-management-console.yaml:
r79237 | YAML Bug #44564

univention-management-console (9.0.80-9):
r79236 | Bug #44564: fix wrong detection of XSRF-Protection

Comment 2 Richard Ulmer

2017-05-15 14:09:28 CEST

I've tested the fix with an SSH tunnel and the UMC got usable again. -> Verified

Comment 3 Florian Best

2017-05-23 15:38:36 CEST

FEEDBACK: Bei genattetem Zugriff auf UMC folgender Fehler:

Sie sind nicht authorisiert, diese Aktion durchzuführen.

Fehlernachricht des Servers:

Cross Site Request Forgery attack detected. Please provide the "UMCSessionId" cookie value as HTTP request header "X-Xsrf-Protection".
PRODUKTNUTZUNG: im Rahmen einer Evaluation.
EMAIL: 
GET-PARAMTER:array (
'umc' => 'StartupDialog',
)

Comment 4 Janek Walkenhorst

2017-06-15 17:58:16 CEST

<http://errata.software-univention.de/ucs/4.2/40.html>