Security bug in IE11

Question
1

Hi Stefan,

thanks for this information.
I can not understand and reproduce this.

Each REST call requires an Authorization Token (JWT) to be sent in the
header. If this token is not available the API call will refuse the
connection, i.e. the authentication is done below the UI level and also
tested in some of the unit tests.
Additionally, when you press F5, the single page application is loaded
anew and it should forget all data - also the JWT.

You can see the behaviour, when you issue a request directly to
https://yourserver/audit, you will get:

{
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“error”: {
“code”: -401,
“message”: “missing Authorization header”
},
“status”: false
},
“version”: “xyz”
}

If you don’t get this message, the browser still has the authorization
header intact.

I only can assume that the JWT remains in the IEs browser cache and gets
“activated” and sent during the F5 presses.
Nevertheless I am curious, at which point the IE did not clear it.
So when can you see this behaviour? After having logged out? Can you see
it with a newly started IE?

Thanks a lot and kind regards
CorneliusAm 28.02.2015 um 21:12 schrieb Stefan Steuer:

and after I click at the resolver name in the audit log I can see the
configuration of the whole system - without any login.

On Saturday, February 28, 2015 at 9:10:28 PM UTC+1, Stefan Steuer wrote:

Hi Cornelius,
I found a big bug privacyidea.
When I open the url to my privacyidea control panel and try to
open the audit log without any login I'll get the login screen.
When I press F5 for two times - I'll the the hole audit log.


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com
mailto:privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com
mailto:privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/0d346363-bdc4-49a3-925c-8552eb0468e7%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/0d346363-bdc4-49a3-925c-8552eb0468e7%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

2

Hi Stefan,

but only if you were logged in previously.
So for some reason it seams that in your case IE11 does not clear caches
right…

I will just test for IE11 and deny access with IE11 in the first place! :wink:

Thanks
CorneliusAm 01.03.2015 um 12:59 schrieb Stefan Steuer:

Dear Cornelius,
after I logged out and open the audit file and reloaded the site for
two times I’m able to see the log - but only in IE (chrome, firefox
working fine)


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com
mailto:privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com
mailto:privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/553be2cc-03bf-4393-9a07-43408958bc04%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/553be2cc-03bf-4393-9a07-43408958bc04%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

3

Do you log out, by hitting logout or are you logged out autmatically?

How are you reloading the site? F5 or any other way?Am 01.03.2015 um 12:59 schrieb Stefan Steuer:

Dear Cornelius,
after I logged out and open the audit file and reloaded the site for
two times I’m able to see the log - but only in IE (chrome, firefox
working fine)


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com
mailto:privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com
mailto:privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/553be2cc-03bf-4393-9a07-43408958bc04%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/553be2cc-03bf-4393-9a07-43408958bc04%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

4

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpVOHl4ekFBb0pFQkJoWkZVdWpZRkplM2dRQUs5OURVZUhRK2hIeWF1TEU4TTM1
eUZXDQpkS1N2NzluUTlTRGQ5MWhZVWhIbWNjNjRaTDAxcDMwb0NteVNLWTlrM0lDdExma29sN2Y1
OGx4MWtyMVZtSU9yDQprTXN5bEplQllFYTN5aHJwVkhvZ1dSdW5XSDZTRXEvY2hoM2JDRDd2L1Vj
djd0SGtBUGRoVzhEd0FwWTc3NTVMDQprUzdJK2srbWdGU0JzUk1DMjN4d2NIZ0Ywc24yamdlR2Va
bTliYkJLRmoveG8yMkZaWlMvK05FM0QzeWJnR0tyDQovVC9KQ2ZEZkliOFFBdHI5dWpJRnErbVl6
cnNQZndtRzEvMEIxaVhmem9rVGNRbjNjbWVBeVZRMnlrRzcvdUlXDQpXUDQ3TjVCa0VSOXdmUmNm
aXE0QnF5T3ZZMHVnZDBGWkV0enJwUUt6OHJVaTllK2g2UENwbUdqak91TE0rc3BYDQpoUGNwSjZh
UVJmdkFvQ0xLbkpPaVRtWmd0eWd4N0FqcnR3VjhMbUdLYUZMR21SQkdSRVlZSEJML2dadUxKSThj
DQpYRDJxR3hkbkNoK1o5a1lhOC9YZW4zTEFydlY3ZXVORDNlZ0lCbTM4S3RPQlYwWFUwTDNQQ2lO
SU5sc3d4czhKDQo5ckllMExGck1DVmo2b09rK0FxRW9tUmNKNmxuNm9BQ3BlUTdQZnpRTDQ4T2s0
aEUzcmNKVm1LelJvSVdmeDBRDQp6dnpaTk9Nb0RuYTk0STFJME9pV0M2eVAzZit5WVpQc1k5Z2dv
K2FUS1cxSGN0RExGZ0FxUzRWTW12T0luTis1DQpwdi9sdjgvR0JTSHBqOEx2QUQvdmtEUHI4Uis3
a3g2NHB6VXJTQjY1N1B3bU8vQXdEd0ViMkQvKzIwQU5FcXJ3DQpydTA3ZENrZzdrL1ZSYlQ2RElp
Ug0KPVhWdXoNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

5

Dear Cornelius,
after I logged out and open the audit file and reloaded the site for two
times I’m able to see the log - but only in IE (chrome, firefox working
fine)>