Bug 44564 - X-XRSF-Protection attack false detected when URL contains the port
X-XRSF-Protection attack false detected when URL contains the port
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Florian Best
Richard Ulmer
Depends on:
  Show dependency treegraph
Reported: 2017-05-09 13:04 CEST by Florian Best
Modified: 2017-06-15 17:58 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017050721000149, 2017052321000511
Bug group (optional): External feedback
Max CVSS v3 score:
best: Patch_Available+

Screenshot (76.37 KB, image/png)
2017-05-09 13:04 CEST, Florian Best

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-05-09 13:04:35 CEST
Created attachment 8827 [details]

For newly installed UCS 4.2 systems which access UMC via http://host:8443/univention/management/ the UMC is unusable because it detects a XSRF-Attack.

This is because the UMC-Webserver uses the Cookie UMCSessionId-$port if a port is available but the UMC-Server is not aware of any port and always checks for the value of "UMCSessionId" and therefore detects a XSRF-Attack because "" != "some-session-id".

Attached is a Screenshot how it looks. No UMC module can be used for due to this.
Comment 1 Florian Best univentionstaff 2017-05-09 13:08:51 CEST
r79237 | YAML Bug #44564

univention-management-console (9.0.80-9):
r79236 | Bug #44564: fix wrong detection of XSRF-Protection
Comment 2 Richard Ulmer univentionstaff 2017-05-15 14:09:28 CEST
I've tested the fix with an SSH tunnel and the UMC got usable again. -> Verified
Comment 3 Florian Best univentionstaff 2017-05-23 15:38:36 CEST
FEEDBACK: Bei genattetem Zugriff auf UMC folgender Fehler:

Sie sind nicht authorisiert, diese Aktion durchzuführen.

Fehlernachricht des Servers:

Cross Site Request Forgery attack detected. Please provide the "UMCSessionId" cookie value as HTTP request header "X-Xsrf-Protection".
PRODUKTNUTZUNG: im Rahmen einer Evaluation.
'umc' => 'StartupDialog',
Comment 4 Janek Walkenhorst univentionstaff 2017-06-15 17:58:16 CEST