Defect #13022
closed
Image pointing towards /logout signs out user
Added by Anonymous almost 12 years ago.
Updated almost 12 years ago.
Description
Creating an image with the source url /logout will automatically sign out any user.
Code
!/logout!
Test case (This will sign you out!)
See issue #13021
This can be annoying and should be prevented by only allowing POST request with a valid CSRF token in the AccountController.logout method (source:trunk/app/controllers/account_controller.rb).
Hi Marco,
first of all, thank you for your input and for making us aware of this.
I don't think that using a live system for demonstrating issues is neither a good idea nor good conduct.
I closed the referenced issue, but I'm not sure if deleting it wouldn't have been better...
Hi Jan,
Sorry about being overly attention demanding. So, yeah sure, it is probably better to just delete the ticket.
I had actually reported this a two years ago to security(at)redmine.org, but it probably slipped through at some point. Anyway, it's just a minor annoyance, and not a real security issue.
Maybe only respond to html format in login and logout actions?
There's a security(at)redmine.org email address? Didn't know that...
- Assignee set to Jean-Philippe Lang
- Target version set to 2.3.0
Etienne Massip wrote:
Maybe only respond to html format in login and logout actions?
I've just tested this approach but it doesn't work. Using non-GET seems to be the right solution for preventing that.
- Status changed from New to Closed
- Resolution set to Fixed
Fixed in r11289, POST is now required to logout. FTR, GET /logout will still respond with a simple logout form for compatibility, disabled-javascript support.
Jan Niggemann wrote:
There's a security(at)redmine.org email address? Didn't know that...
That's what it says here: Submissions
BTW: That was fixed quickly, Kudos!
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by