Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.1, 1.6.0
    • Fix Version/s: 1.5.2, 1.6.1, 1.7.0
    • Component/s: monitor
    • Labels:
      None

      Description

      Noticed that the ShellServlet doesn't include any sort of CSRF token to prevent an attack, but just uses the state of the session to determine authentication.

      I believe this means that the servlet is potentially vulnerable to a csrf attack. CORS protects against the majority of this, I haven't been able to come up with a plausible vector for an actual attack yet, but it would be good to clean up.

        Activity

        Hide
        Josh Elser added a comment -

        Set a random UUID as a csrf token when we start a session, and then include that token with all future requests.

        Show
        Josh Elser added a comment - Set a random UUID as a csrf token when we start a session, and then include that token with all future requests.
        Hide
        ASF subversion and git services added a comment -

        Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/master from Josh Elser
        [ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ]

        ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF.

        Show
        ASF subversion and git services added a comment - Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/master from Josh Elser [ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ] ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF.
        Hide
        ASF subversion and git services added a comment -

        Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/1.6.1-SNAPSHOT from Josh Elser
        [ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ]

        ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF.

        Show
        ASF subversion and git services added a comment - Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/1.6.1-SNAPSHOT from Josh Elser [ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ] ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF.
        Hide
        ASF subversion and git services added a comment -

        Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/1.5.2-SNAPSHOT from Josh Elser
        [ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ]

        ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF.

        Show
        ASF subversion and git services added a comment - Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/1.5.2-SNAPSHOT from Josh Elser [ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ] ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF.
        Hide
        Josh Elser added a comment -

        Looking at some code that ActiveMQ has (BindingBeanNameUrlHandlerMapping and SessionFilter), we can just set a new random UUID when we create a new session, and then include that token as a parameter for any forms that the "shell" submits.

        Then, we check the session's token against what was in the form and fail when they're not the same. Sounds easy enough.

        Show
        Josh Elser added a comment - Looking at some code that ActiveMQ has ( BindingBeanNameUrlHandlerMapping and SessionFilter ), we can just set a new random UUID when we create a new session, and then include that token as a parameter for any forms that the "shell" submits. Then, we check the session's token against what was in the form and fail when they're not the same. Sounds easy enough.

          People

          • Assignee:
            Josh Elser
            Reporter:
            Josh Elser
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development