accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Updated] (ACCUMULO-3460) Monitor should not allow HTTP TRACE
Date Fri, 22 May 2015 18:33:17 GMT


Christopher Tubbs updated ACCUMULO-3460:
    Affects Version/s:     (was: 1.6.2)
                           (was: 1.6.1)

> Monitor should not allow HTTP TRACE
> -----------------------------------
>                 Key: ACCUMULO-3460
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>          Components: monitor
>    Affects Versions: 1.5.0, 1.5.1, 1.5.2, 1.6.0
>            Reporter: Sean Busbey
>            Priority: Minor
>              Labels: security
>             Fix For: 1.6.3, 1.8.0, 1.7.1
> A Nessus scan pinged my test cluster because the Accumulo monitor allows HTTP TRACE requests.
(ref: [an overview of the general problem class|])
> The issue isn't bad unless
> * there's a same-origin-policy bypass for the user browser
> * there's an auth token we care about
> Exploits the bypass the same-origin-policy happen, so it's best to clean up server side
if possible.
> The only auth tokens present in the Monitor are when we make use of the ShellServlet
from ACCUMULO-196. We rely on the session state for auth, so there isn't a risk of leaking
auth info directly, but we would leak the session id. 
> The CSRF added in ACCUMULO-2785 means just the session id wouldn't be enough for impersonation,
but if an attacker can read one requested page we have to presume they can read another.
> We should clean up our configs to disallow HTTP TRACE as a proactive measure.
> Marking minor since an attack vector would need an enabling vulnerability on the client

This message was sent by Atlassian JIRA

View raw message