Defect #13022
Image pointing towards /logout signs out user
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Security | |||
Target version: | 2.3.0 | |||
Resolution: | Fixed | Affected version: | 2.2.2 |
Description
Creating an image with the source url /logout
will automatically sign out any user.
Code
!/logout!
Test case (This will sign you out!)
See issue #13021
This can be annoying and should be prevented by only allowing POST request with a valid CSRF token in the AccountController.logout
method (source:trunk/app/controllers/account_controller.rb).
Related issues
Associated revisions
Use POST instead of GET for logging out (#13022).
History
#1
Updated by Jan Niggemann (redmine.org team member) almost 8 years ago
Hi Marco,
first of all, thank you for your input and for making us aware of this.
I don't think that using a live system for demonstrating issues is neither a good idea nor good conduct.
I closed the referenced issue, but I'm not sure if deleting it wouldn't have been better...
#2 Updated by Anonymous almost 8 years ago
Hi Jan,
Sorry about being overly attention demanding. So, yeah sure, it is probably better to just delete the ticket.
I had actually reported this a two years ago to security(at)redmine.org, but it probably slipped through at some point. Anyway, it's just a minor annoyance, and not a real security issue.
#3
Updated by Etienne Massip almost 8 years ago
Maybe only respond to html format in login and logout actions?
#4
Updated by Jan Niggemann (redmine.org team member) almost 8 years ago
There's a security(at)redmine.org email address? Didn't know that...
#5
Updated by Jean-Philippe Lang almost 8 years ago
- Assignee set to Jean-Philippe Lang
- Target version set to 2.3.0
Etienne Massip wrote:
Maybe only respond to html format in login and logout actions?
I've just tested this approach but it doesn't work. Using non-GET seems to be the right solution for preventing that.
#6
Updated by Jean-Philippe Lang almost 8 years ago
- Status changed from New to Closed
- Resolution set to Fixed
Fixed in r11289, POST is now required to logout. FTR, GET /logout
will still respond with a simple logout form for compatibility, disabled-javascript support.
#7 Updated by Anonymous almost 8 years ago
Jan Niggemann wrote:
There's a security(at)redmine.org email address? Didn't know that...
That's what it says here: Submissions
BTW: That was fixed quickly, Kudos!