Project

General

Profile

Actions

Defect #13022

closed

Image pointing towards /logout signs out user

Added by Anonymous about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Creating an image with the source url /logout will automatically sign out any user.

Code

!/logout!

Test case (This will sign you out!)
See issue #13021

This can be annoying and should be prevented by only allowing POST request with a valid CSRF token in the AccountController.logout method (source:trunk/app/controllers/account_controller.rb).


Related issues

Has duplicate Redmine - Defect #13069: XSS with imagesClosed

Actions
Actions #1

Updated by Jan Niggemann (redmine.org team member) about 11 years ago

Hi Marco,
first of all, thank you for your input and for making us aware of this.

I don't think that using a live system for demonstrating issues is neither a good idea nor good conduct.
I closed the referenced issue, but I'm not sure if deleting it wouldn't have been better...

Actions #2

Updated by Anonymous about 11 years ago

Hi Jan,

Sorry about being overly attention demanding. So, yeah sure, it is probably better to just delete the ticket.

I had actually reported this a two years ago to security(at)redmine.org, but it probably slipped through at some point. Anyway, it's just a minor annoyance, and not a real security issue.

Actions #3

Updated by Etienne Massip about 11 years ago

Maybe only respond to html format in login and logout actions?

Actions #4

Updated by Jan Niggemann (redmine.org team member) about 11 years ago

There's a security(at)redmine.org email address? Didn't know that...

Actions #5

Updated by Jean-Philippe Lang about 11 years ago

  • Assignee set to Jean-Philippe Lang
  • Target version set to 2.3.0

Etienne Massip wrote:

Maybe only respond to html format in login and logout actions?

I've just tested this approach but it doesn't work. Using non-GET seems to be the right solution for preventing that.

Actions #6

Updated by Jean-Philippe Lang about 11 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in r11289, POST is now required to logout. FTR, GET /logout will still respond with a simple logout form for compatibility, disabled-javascript support.

Actions #7

Updated by Anonymous about 11 years ago

Jan Niggemann wrote:

There's a security(at)redmine.org email address? Didn't know that...

That's what it says here: Submissions

BTW: That was fixed quickly, Kudos!

Actions

Also available in: Atom PDF