Project

General

Profile

Actions
Copy link

Bug #190

closed

RefreshAddress not checked for same origin

Added by Tobias Wich about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
1.0.2
Start date:
03/21/2013
Due date:
% Done:

0%

Estimated time:
Reviewer:
Tobias Wich
Build Version:

Description

The certificate obtained from the TLS connection used to retrieve the TCToken must be used to validate the RefreshAddress. This is currently not the case.

The relevant section in the eCard API (Part 7) is 3.4.5

Related issues

Related to Bug #209: Final result of eID dialog is not send as HTTP Redirect to eID-Client, but eID-Client redirects/offers Browser that result pageClosedDirk Petrautzki03/27/2013

Actions
Has duplicate Bug #208: It seems that same origin policy is not checked (refer to TR-03112-7 v1.1.2 chapter 3.x)Rejected03/27/2013

Actions
Actions
Copy link
 #1

Updated by Tobias Wich about 10 years ago

  • Target version changed from 1.0.1 to 1.0.2

Issue needs further investigation because the "Same origin" check is dependent on information from EAC, which is only available when the nPA is used.

Actions
Copy link
 #2

Updated by Andreas Kuckartz about 10 years ago

Sounds like a security issue.

Actions
Copy link
 #3

Updated by Tobias Wich about 10 years ago

  • Status changed from New to Review
  • Reviewer set to Tobias Wich
Actions
Copy link
 #4

Updated by Tobias Wich about 10 years ago

  • Status changed from Review to Closed
Actions
Copy link

Also available in: Atom PDF