Return-Path: 
 <notifications-return-21568-apmail-accumulo-notifications-archive=accumulo.apache.org@accumulo.apache.org>
X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org
Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1AB2811C88
	for <apmail-accumulo-notifications-archive@minotaur.apache.org>;
 Sat, 24 May 2014 00:32:02 +0000 (UTC)
Received: (qmail 46826 invoked by uid 500); 24 May 2014 00:32:02 -0000
Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org
Received: (qmail 46788 invoked by uid 500); 24 May 2014 00:32:02 -0000
Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@accumulo.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@accumulo.apache.org>
List-Post: <mailto:notifications@accumulo.apache.org>
List-Id: <notifications.accumulo.apache.org>
Reply-To: jira@apache.org
Delivered-To: mailing list notifications@accumulo.apache.org
Received: (qmail 46768 invoked by uid 99); 24 May 2014 00:32:02 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 May 2014 00:32:02 +0000
Date: Sat, 24 May 2014 00:32:01 +0000 (UTC)
From: "ASF subversion and git services (JIRA)" <jira@apache.org>
To: notifications@accumulo.apache.org
Message-ID: <JIRA.12712923.1399490979717.12842.1400891521965@arcas>
In-Reply-To: <JIRA.12712923.1399490979717@arcas>
References: <JIRA.12712923.1399490979717@arcas>
Subject: [jira] [Commented] (ACCUMULO-2785) ShellServlet vulnerable to CSRF
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/ACCUMULO-2785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14007925#comment-14007925 ] 

ASF subversion and git services commented on ACCUMULO-2785:
-----------------------------------------------------------

Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/1.6.1-SNAPSHOT from [~elserj]
[ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ]

ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF.


> ShellServlet vulnerable to CSRF
> -------------------------------
>
>                 Key: ACCUMULO-2785
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-2785
>             Project: Accumulo
>          Issue Type: Bug
>          Components: monitor
>    Affects Versions: 1.5.1, 1.6.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.5.2, 1.6.1, 1.7.0
>
>
> Noticed that the ShellServlet doesn't include any sort of CSRF token to prevent an attack, but just uses the state of the session to determine authentication.
> I believe this means that the servlet is potentially vulnerable to a csrf attack. CORS protects against the majority of this, I haven't been able to come up with a plausible vector for an actual attack yet, but it would be good to clean up.



--
This message was sent by Atlassian JIRA
(v6.2#6252)