geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jared Stewart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GEODE-1532) Pulse is vulnerable to clickjacking
Date Tue, 27 Sep 2016 18:47:20 GMT

    [ https://issues.apache.org/jira/browse/GEODE-1532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15527070#comment-15527070
] 

Jared Stewart commented on GEODE-1532:
--------------------------------------

I have this fixed on a [branch | https://github.com/jaredjstewart/incubator-geode/tree/GEODE-1532],
but it needs to wait for post 9.0 Beta to be merged in since it required bumping spring-security
versions.

> Pulse is vulnerable to clickjacking
> -----------------------------------
>
>                 Key: GEODE-1532
>                 URL: https://issues.apache.org/jira/browse/GEODE-1532
>             Project: Geode
>          Issue Type: Bug
>          Components: pulse
>            Reporter: Swapnil Bawaskar
>            Assignee: Jared Stewart
>
> The Pulse application is vulnerable to clickjacking. An attacker could frame in the web
application and highjack a click, tricking a client into making an unintentional transaction.
Attackers exploit this vulnerability by loading target pages in IFRAMEs but keeping them hidden,
and then orienting the frame so that a user click on the embedding page is routed to a UI
control on the embedded page. The attack will be hidden from the user and perpetrated without
the user’s knowledge.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message