[
https://issues.apache.org/jira/browse/ACCUMULO-2785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14007924#comment-14007924
]
ASF subversion and git services commented on ACCUMULO-2785:
-----------------------------------------------------------
Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch
refs/heads/1.5.2-SNAPSHOT from [~elserj]
[ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ]
ACCUMULO-2785 Create a random string in the session, and provide it in requests
to mitigate CSRF.
> ShellServlet vulnerable to CSRF
> -------------------------------
>
> Key: ACCUMULO-2785
> URL: https://issues.apache.org/jira/browse/ACCUMULO-2785
> Project: Accumulo
> Issue Type: Bug
> Components: monitor
> Affects Versions: 1.5.1, 1.6.0
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 1.5.2, 1.6.1, 1.7.0
>
>
> Noticed that the ShellServlet doesn't include any sort of CSRF token to
> prevent an attack, but just uses the state of the session to determine
> authentication.
> I believe this means that the servlet is potentially vulnerable to a csrf
> attack. CORS protects against the majority of this, I haven't been able to
> come up with a plausible vector for an actual attack yet, but it would be
> good to clean up.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
