7:13 a.m.
Hello,
We have a page where the user account details can be seen (the KeyCloak
realm/account page).
On that page, the user can update his email address etc.
As part of security testing, we found that this page is vulnerable to Cross
Site Request Forgery.
Is this a known issue, or should I report in JIRA?
Also, is there a way to configure some security options in KeyCloak to
prevent CSRF?
Regards, Ushanas.
On 23-Mar-2017 10:28 AM, "Ushanas Shastri" <ushanas(a)gmail.com> wrote:
Thank you, this works.
On 22 March 2017 at 21:39, Marko Strukelj <mstrukel(a)redhat.com> wrote:
You can add a new admin user by using add-user-keycloak script:
https://keycloak.gitbooks.io/documentation/content/server_ad
min/topics/initialization.html.
Then you can log into the Admin Console and set a new password for
original admin user.
On Wed, Mar 22, 2017 at 12:51 PM, Ushanas Shastri <ushanas(a)gmail.com>
wrote:
> Hello,
> How do I reset the admin password? I don't have the admin password, and
> want to be able to reset it like it was a new install.
>
> Regards, Ushanas.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2:57 a.m.
Please send me the details about this in a direct mail, but it is protected
against CSRF and unless you are using a really old version of Keycloak I
doubt this is an actual vulnerability
On 23 March 2017 at 13:13, Ushanas Shastri <ushanas(a)gmail.com> wrote:
Hello,
We have a page where the user account details can be seen (the KeyCloak
realm/account page).
On that page, the user can update his email address etc.
As part of security testing, we found that this page is vulnerable to Cross
Site Request Forgery.
Is this a known issue, or should I report in JIRA?
Also, is there a way to configure some security options in KeyCloak to
prevent CSRF?
Regards, Ushanas.
On 23-Mar-2017 10:28 AM, "Ushanas Shastri" <ushanas(a)gmail.com> wrote:
Thank you, this works.
On 22 March 2017 at 21:39, Marko Strukelj <mstrukel(a)redhat.com> wrote:
> You can add a new admin user by using add-user-keycloak script:
> https://keycloak.gitbooks.io/documentation/content/server_ad
> min/topics/initialization.html.
>
> Then you can log into the Admin Console and set a new password for
> original admin user.
>
> On Wed, Mar 22, 2017 at 12:51 PM, Ushanas Shastri <ushanas(a)gmail.com>
> wrote:
>
>> Hello,
>> How do I reset the admin password? I don't have the admin password, and
>> want to be able to reset it like it was a new install.
>>
>> Regards, Ushanas.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3317
days inactive
3318
days old
1 comments
2 participants
participants (2)
-
Stian Thorgersen -
Ushanas Shastri