[ACCUMULO-2785] ShellServlet vulnerable to CSRF - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.5.1, 1.6.0
Fix Version/s: 1.5.2, 1.6.1, 1.7.0
Component/s: monitor
Labels:
None

Description

Noticed that the ShellServlet doesn't include any sort of CSRF token to prevent an attack, but just uses the state of the session to determine authentication.

I believe this means that the servlet is potentially vulnerable to a csrf attack. CORS protects against the majority of this, I haven't been able to come up with a plausible vector for an actual attack yet, but it would be good to clean up.

Attachments

Activity

People

Assignee:: Josh Elser

Reporter:: Josh Elser

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/May/14 19:29

Updated:: 24/May/14 00:32

Resolved:: 24/May/14 00:32