[ https://issues.apache.org/jira/browse/ACCUMULO-2785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14007926#comment-14007926 ]
ASF subversion and git services commented on ACCUMULO-2785: ----------------------------------------------------------- Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/master from [~elserj] [ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=5d4cf3b ] ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate CSRF. > ShellServlet vulnerable to CSRF > ------------------------------- > > Key: ACCUMULO-2785 > URL: https://issues.apache.org/jira/browse/ACCUMULO-2785 > Project: Accumulo > Issue Type: Bug > Components: monitor > Affects Versions: 1.5.1, 1.6.0 > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: 1.5.2, 1.6.1, 1.7.0 > > > Noticed that the ShellServlet doesn't include any sort of CSRF token to > prevent an attack, but just uses the state of the session to determine > authentication. > I believe this means that the servlet is potentially vulnerable to a csrf > attack. CORS protects against the majority of this, I haven't been able to > come up with a plausible vector for an actual attack yet, but it would be > good to clean up. -- This message was sent by Atlassian JIRA (v6.2#6252)