MAAS

Logout page vulnerable to CSRF

Bug #1298790 reported by Julian Edwards
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
High
Raphaël Badin
1.2
Fix Released
High
Raphaël Badin
1.5
Fix Released
High
Raphaël Badin
MAAS 14.04 "trusty"

Bug Description

The logout page can be accessed by browsing to /MAAS/accounts/logout/. This has no protection
against cross-site request forgery attacks, so remote attackers may be able to cause annoyance by
forcing users to log out of the application.

Tags: netcraft

Related branches

lp:~rvb/maas/1.5-bug-1298790
MAAS Maintainers: Pending requested
Diff: 116 lines (+70/-3)
3 files modified
src/maasserver/templates/maasserver/logout_confirm.html (+21/-0)
src/maasserver/views/account.py (+24/-2)
src/maasserver/views/tests/test_account.py (+25/-1)
lp:~rvb/maas/logout-fix-1.2
Julian Edwards (community): Approve
Diff: 122 lines (+70/-4)
3 files modified
src/maasserver/templates/maasserver/logout_confirm.html (+21/-0)
src/maasserver/tests/test_views_account.py (+25/-2)
src/maasserver/views/account.py (+24/-2)
lp:ubuntu/trusty-proposed/maas
Raphaël Badin (rvb)
Changed in maas:
assignee: nobody → Raphaël Badin (rvb)
status: Triaged → In Progress
Raphaël Badin (rvb)
Changed in maas:
status: In Progress → Fix Committed
Raphaël Badin (rvb)
Changed in maas:
milestone: none → 14.04
milestone: 14.04 → 14.10
Julian Edwards (julian-edwards)
Changed in maas:
status: Fix Committed → Fix Released
milestone: 14.10 → none
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.