Re: Security bug in IE11
20 views
Skip to first unread message
Cornelius Kölbel
Feb 28, 2015, 6:00:01 PM2/28/15
to priva...@googlegroups.com
Hi Stefan,
thanks for this information.
I can not understand and reproduce this.
Each REST call requires an Authorization Token (JWT) to be sent in the header. If this token is not available the API call will refuse the connection, i.e. the authentication is done below the UI level and also tested in some of the unit tests.
Additionally, when you press F5, the single page application is loaded anew and it should forget all data - also the JWT.
You can see the behaviour, when you issue a request directly to https://yourserver/audit, you will get:
If you don't get this message, the browser still has the authorization header intact.
I only can assume that the JWT remains in the IEs browser cache and gets "activated" and sent during the F5 presses.
Nevertheless I am curious, at which point the IE did not clear it.
So when can you see this behaviour? After having logged out? Can you see it with a newly started IE?
Thanks a lot and kind regards
Cornelius
thanks for this information.
I can not understand and reproduce this.
Each REST call requires an Authorization Token (JWT) to be sent in the header. If this token is not available the API call will refuse the connection, i.e. the authentication is done below the UI level and also tested in some of the unit tests.
Additionally, when you press F5, the single page application is loaded anew and it should forget all data - also the JWT.
You can see the behaviour, when you issue a request directly to https://yourserver/audit, you will get:
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": -401,
"message": "missing Authorization header"
},
"status": false
},
"version": "xyz"
}
If you don't get this message, the browser still has the authorization header intact.
I only can assume that the JWT remains in the IEs browser cache and gets "activated" and sent during the F5 presses.
Nevertheless I am curious, at which point the IE did not clear it.
So when can you see this behaviour? After having logged out? Can you see it with a newly started IE?
Thanks a lot and kind regards
Cornelius
Am 28.02.2015 um 21:12 schrieb Stefan
Steuer:
and after I click at the resolver name in the audit log I can see the configuration of the whole system - without any login.--
On Saturday, February 28, 2015 at 9:10:28 PM UTC+1, Stefan Steuer wrote:Hi Cornelius,I found a big bug privacyidea.When I open the url to my privacyidea control panel and try to open the audit log without any login I'll get the login screen. When I press F5 for two times - I'll the the hole audit log.
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/0d346363-bdc4-49a3-925c-8552eb0468e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stefan Steuer
Mar 1, 2015, 6:59:15 AM3/1/15
to priva...@googlegroups.com
Dear Cornelius,
after I logged out and open the audit file and reloaded the site for two times I'm able to see the log - but only in IE (chrome, firefox working fine)
Cornelius Kölbel
Mar 1, 2015, 7:08:20 AM3/1/15
to priva...@googlegroups.com
Hi Stefan,
but only if you were logged in previously.
So for some reason it seams that in your case IE11 does not clear caches right...
I will just test for IE11 and deny access with IE11 in the first place! ;-)
Thanks
Cornelius
but only if you were logged in previously.
So for some reason it seams that in your case IE11 does not clear caches right...
I will just test for IE11 and deny access with IE11 in the first place! ;-)
Thanks
Cornelius
Am 01.03.2015 um 12:59 schrieb Stefan
Steuer:
Dear Cornelius,after I logged out and open the audit file and reloaded the site for two times I'm able to see the log - but only in IE (chrome, firefox working fine)
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/553be2cc-03bf-4393-9a07-43408958bc04%40googlegroups.com.
Cornelius Kölbel
Mar 1, 2015, 7:09:36 AM3/1/15
to priva...@googlegroups.com
Do you log out, by hitting logout or are you logged out
autmatically?
How are you reloading the site? F5 or any other way?
How are you reloading the site? F5 or any other way?
Am 01.03.2015 um 12:59 schrieb Stefan
Steuer:
Dear Cornelius,after I logged out and open the audit file and reloaded the site for two times I'm able to see the log - but only in IE (chrome, firefox working fine)
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/553be2cc-03bf-4393-9a07-43408958bc04%40googlegroups.com.
Cornelius Kölbel
Mar 1, 2015, 10:12:53 AM3/1/15
to priva...@googlegroups.com
HI Stefan,
I think I found it.
IE so so eager about caching. It even cached displaying the login page.
Adding a no-cache to each response seems to fix the problem.
I will create a version 2.0.1.
Thanks a lot and Kind regards
Cornelius
I think I found it.
IE so so eager about caching. It even cached displaying the login page.
Adding a no-cache to each response seems to fix the problem.
I will create a version 2.0.1.
Thanks a lot and Kind regards
Cornelius
Am 01.03.2015 um 12:59 schrieb Stefan
Steuer:
Dear Cornelius,after I logged out and open the audit file and reloaded the site for two times I'm able to see the log - but only in IE (chrome, firefox working fine)
--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/553be2cc-03bf-4393-9a07-43408958bc04%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages