Hi Marco,
first of all, thank you for your input and for making us aware of this.

I don't think that using a live system for demonstrating issues is neither a good idea nor good conduct.
I closed the referenced issue, but I'm not sure if deleting it wouldn't have been better...
--------------------------------------------------------------------------------
Hi Jan,

Sorry about being overly attention demanding. So, yeah sure, it is probably better to just delete the ticket.

I had actually reported this a two years ago to security(at)redmine.org, but it probably slipped through at some point. Anyway, it's just a minor annoyance, and not a real security issue.
--------------------------------------------------------------------------------
Maybe only respond to html format in login and logout actions?
--------------------------------------------------------------------------------
There's a security(at)redmine.org email address? Didn't know that...
--------------------------------------------------------------------------------
Etienne Massip wrote:
> Maybe only respond to html format in login and logout actions?

I've just tested this approach but it doesn't work. Using non-GET seems to be the right solution for preventing that.
--------------------------------------------------------------------------------
Fixed in r11289, POST is now required to logout. FTR, @GET /logout@ will still respond with a simple logout form for compatibility, disabled-javascript support.
--------------------------------------------------------------------------------
Jan Niggemann wrote:
> There's a security(at)redmine.org email address? Didn't know that...

That's what it says here: [[Submissions#Submitting-a-Security-Vulnerability]]

BTW: That was fixed quickly, Kudos!
--------------------------------------------------------------------------------

duplicates,Closed,13069,XSS with images