[jira] [Created] (STORM-460) CSRF vulnerability in storm UI

Parth Brahmbhatt (JIRA) Sun, 17 Aug 2014 14:51:12 -0700

Parth Brahmbhatt created STORM-460:
--------------------------------------

             Summary: CSRF vulnerability in storm UI
                 Key: STORM-460
                 URL: https://issues.apache.org/jira/browse/STORM-460
             Project: Apache Storm (Incubating)
          Issue Type: Bug
    Affects Versions: feature-security
            Reporter: Parth Brahmbhatt



 If you are already kerberized and visit a webpage that malliciosly posts this 
request
http://storm-ui-root/api/v1/topology/storm-6-1406915499/kill/30
it will end up killing a topology with id storm-6-1406915499. 

To reproduce the issue, open storm ui in secure or non secure mode once using 
any browser. You can then close the storm ui tab. Usig chrome 
https://chrome.google.com/webstore/detail/postman-rest-client/fdmmgilgnpjigdojojpjoooidkmcomcm
 or curl post this request 

http://<storm-ui-root>/api/v1/topology/<your topology id>/kill/30

It should end up killing the topology.

See http://en.wikipedia.org/wiki/Cross-site_request_forgery to understand CSRF 
vulenrability.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Created] (STORM-460) CSRF vulnerability in storm UI

Reply via email to