Bug 45461 - UMC should not store persistent personal data
UMC should not store persistent personal data
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3
Assigned To: Florian Best
Johannes Keiser
:
Depends on: 45390
Blocks: 45743
  Show dependency treegraph
 
Reported: 2017-09-27 12:16 CEST by Florian Best
Modified: 2017-11-28 17:26 CET (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017091321000684
Bug group (optional): API change, Security, Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-27 12:16:50 CEST
The customer wishes that we don't store the username persistent at all on the client side.

"""
die Lösung ist unzureichend. Uns ging es darum, dass personenbezogene Daten nicht im Klartext im Client gespeichert werden und 
dadurch von einem Angreifer im Falle eines Cross-site Scripting (XSS) Angriffsvektors ausgelesen werden können. Es geht also darum, dass man das z.B. stattdessen hashen und server seitig zuteilen könnte ... stattdessen hat Univention nun dieses personenbezogene Datum im Klartext in den LocalStore im Browser statt im Cookie im Browser gespeichert.
Andere Stelle -> gleiches Problem.
"""

As a solution we would remove the value completely from the local storage. This has the effect that the username is not pre filled in the login dialog anymore in the next session.

It does not prevent, that if we would have a XSS vulnerability an attacker can gain the username (or session ID) while the user is logged in. All these data are available in the DOM, javascript memory or can be accessed via specific HTTP requests.

+++ This bug was initially created as a clone of Bug #45390 +++

Es wurde festgestellt, dass die Webapplikation personenbezogene Daten innerhalb eines Cookies im Klartext speichert. Dies kann ein Datenschutz Issue darstellen, wenn diese Cookies beispielsweise in Logdateien protokolliert werden.

Neben der ID wird auch der Name des Benutzers im Klartext gespeichert. Dies stellt uns vor Datenschutz-rechtliche Probleme, welche Zeitnah gelöst werden müssen.
Comment 1 Florian Best univentionstaff 2017-11-24 13:18:32 CET
I removed every use of the local storage/cookie by storing the username inside of the javascript memory.

changelog-4.2-3.xml
b9068bec97b1 | Changelog Bug #45461

univention-management-console (9.0.80-81)
09b6e527ee3f | Bug #45461: don't store username in cookie/localstorage

univention-system-setup (10.0.11-2)
09b6e527ee3f | Bug #45461: don't store username in cookie/localstorage

univention-web (1.0.42-51)
09b6e527ee3f | Bug #45461: don't store username in cookie/localstorage
Comment 2 Florian Best univentionstaff 2017-11-24 15:04:00 CET
It seems to work everything regulary. I tested UMC, UMC via query string with ?username=foobar and Univention System Setup boot.
Comment 3 Johannes Keiser univentionstaff 2017-11-24 16:59:46 CET
OK UMC, UMC with ?username query, system setup
~OK The username is still saved in the localstorage if the system is updated to 4.2-3
~OK A cookie with the username is saved for a (very) short time if a user logs in and is then immediately removed
OK changelog (0c2d683 Bug #45461: QA: 4.2-3 changelog)

As mentioned in the bug description the username field on login is no longer prefilled
-> verified
Comment 4 Erik Damrose univentionstaff 2017-11-28 17:26:38 CET
UCS 4.2-3 has been released.