[jira] [Commented] (STORM-460) CSRF vulnerability in storm UI

ASF GitHub Bot (JIRA) Fri, 05 Sep 2014 08:44:28 -0700

    [ 
https://issues.apache.org/jira/browse/STORM-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14123061#comment-14123061
 ]


ASF GitHub Bot commented on STORM-460:
--------------------------------------

Github user asfgit closed the pull request at:

    https://github.com/apache/incubator-storm/pull/230


> CSRF vulnerability in storm UI
> ------------------------------
>
>                 Key: STORM-460
>                 URL: https://issues.apache.org/jira/browse/STORM-460
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>    Affects Versions: feature-security
>            Reporter: Parth Brahmbhatt
>             Fix For: feature-security
>
>
>  If you are already kerberized and visit a webpage that malliciosly posts 
> this request
> http://storm-ui-root/api/v1/topology/storm-6-1406915499/kill/30
> it will end up killing a topology with id storm-6-1406915499. 
> To reproduce the issue, open storm ui in secure or non secure mode once using 
> any browser. You can then close the storm ui tab. Usig chrome 
> https://chrome.google.com/webstore/detail/postman-rest-client/fdmmgilgnpjigdojojpjoooidkmcomcm
>  or curl post this request 
> http://<storm-ui-root>/api/v1/topology/<your topology id>/kill/30
> It should end up killing the topology.
> See http://en.wikipedia.org/wiki/Cross-site_request_forgery to understand 
> CSRF vulenrability.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (STORM-460) CSRF vulnerability in storm UI

Reply via email to