Univention Bugzilla – Full Text Bug Listing |
Summary: | X-XRSF-Protection attack false detected when URL contains the port | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC (Generic) | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Richard Ulmer <ulmer> |
Severity: | normal | ||
Priority: | P5 | CC: | birkefeld, thorp-hansen |
Version: | UCS 4.2 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS 4.2-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.429 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017050721000149, 2017052321000511 | Bug group (optional): | External feedback |
Max CVSS v3 score: | |||
Attachments: | Screenshot |
Description
Florian Best
2017-05-09 13:04:35 CEST
univention-management-console.yaml: r79237 | YAML Bug #44564 univention-management-console (9.0.80-9): r79236 | Bug #44564: fix wrong detection of XSRF-Protection I've tested the fix with an SSH tunnel and the UMC got usable again. -> Verified FEEDBACK: Bei genattetem Zugriff auf UMC folgender Fehler: Sie sind nicht authorisiert, diese Aktion durchzuführen. Fehlernachricht des Servers: Cross Site Request Forgery attack detected. Please provide the "UMCSessionId" cookie value as HTTP request header "X-Xsrf-Protection". PRODUKTNUTZUNG: im Rahmen einer Evaluation. EMAIL: GET-PARAMTER:array ( 'umc' => 'StartupDialog', ) |