Defect #13022

Image pointing towards /logout signs out user

Added by Anonymous over 7 years ago. Updated over 7 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Security
Target version:2.3.0
Resolution:Fixed Affected version:2.2.2

Description

Creating an image with the source url /logout will automatically sign out any user.

Code

!/logout!

Test case (This will sign you out!)
See issue #13021

This can be annoying and should be prevented by only allowing POST request with a valid CSRF token in the AccountController.logout method (source:trunk/app/controllers/account_controller.rb).

Related issues

Duplicated by Redmine - Defect #13069: XSS with images Closed

Associated revisions

Revision 11289
Added by Jean-Philippe Lang over 7 years ago

Use POST instead of GET for logging out (#13022).

History

#1 Updated by Jan Niggemann (redmine.org team member) over 7 years ago

Hi Marco,
first of all, thank you for your input and for making us aware of this.

I don't think that using a live system for demonstrating issues is neither a good idea nor good conduct.
I closed the referenced issue, but I'm not sure if deleting it wouldn't have been better...

#2 Updated by Anonymous over 7 years ago

Hi Jan,

Sorry about being overly attention demanding. So, yeah sure, it is probably better to just delete the ticket.

I had actually reported this a two years ago to security(at)redmine.org, but it probably slipped through at some point. Anyway, it's just a minor annoyance, and not a real security issue.

#3 Updated by Etienne Massip over 7 years ago

Maybe only respond to html format in login and logout actions?

#4 Updated by Jan Niggemann (redmine.org team member) over 7 years ago

There's a security(at)redmine.org email address? Didn't know that...

#5 Updated by Jean-Philippe Lang over 7 years ago

  • Assignee set to Jean-Philippe Lang
  • Target version set to 2.3.0

Etienne Massip wrote:

Maybe only respond to html format in login and logout actions?

I've just tested this approach but it doesn't work. Using non-GET seems to be the right solution for preventing that.

#6 Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in r11289, POST is now required to logout. FTR, GET /logout will still respond with a simple logout form for compatibility, disabled-javascript support.

#7 Updated by Anonymous over 7 years ago

Jan Niggemann wrote:

There's a security(at)redmine.org email address? Didn't know that...

That's what it says here: Submissions

BTW: That was fixed quickly, Kudos!

Also available in: Atom PDF