Univention Bugzilla – Bug 44564
X-XRSF-Protection attack false detected when URL contains the port
Last modified: 2017-06-15 17:58:16 CEST
Created attachment 8827 [details] Screenshot For newly installed UCS 4.2 systems which access UMC via http://host:8443/univention/management/ the UMC is unusable because it detects a XSRF-Attack. This is because the UMC-Webserver uses the Cookie UMCSessionId-$port if a port is available but the UMC-Server is not aware of any port and always checks for the value of "UMCSessionId" and therefore detects a XSRF-Attack because "" != "some-session-id". Attached is a Screenshot how it looks. No UMC module can be used for due to this.
univention-management-console.yaml: r79237 | YAML Bug #44564 univention-management-console (9.0.80-9): r79236 | Bug #44564: fix wrong detection of XSRF-Protection
I've tested the fix with an SSH tunnel and the UMC got usable again. -> Verified
FEEDBACK: Bei genattetem Zugriff auf UMC folgender Fehler: Sie sind nicht authorisiert, diese Aktion durchzuführen. Fehlernachricht des Servers: Cross Site Request Forgery attack detected. Please provide the "UMCSessionId" cookie value as HTTP request header "X-Xsrf-Protection". PRODUKTNUTZUNG: im Rahmen einer Evaluation. EMAIL: GET-PARAMTER:array ( 'umc' => 'StartupDialog', )
<http://errata.software-univention.de/ucs/4.2/40.html>