[rules-dev] Guvnor XSRF attack?

Thu Mar 24 16:50:58 EDT 2011

I recall there was some analysis done on general vulnerabilities by the Red
Hat security team - the main concern I remember wasn't XSRF but variants on
XSS. Even then - the real concern was that there was/is dynamic code
executed which comes from the client (could allow for elevated priviledges).
I think the general agreement at the time was that usage on more public
networks with less trusted users was not going to be recommended anyway.

But XSRF does seem more serious - if you can eliminate that class of attack
then you are left with users who the system already trusts (has to - they
are writing rules).

On Fri, Mar 25, 2011 at 1:34 AM, Michael Anstis <michael.anstis at gmail.com>wrote:

> So, realistically we can expect our users to notice the hick-up at some
> stage with 5.2.0 (or GWT2.1+ in reality).
>
> Should we consider an emergency game-plan should a fix not be found prior
> to release? e.g. Remove XSRF protection short-term. It doesn't leave Guvnor
> any more exposed than we were pre-GWT2.1). I've posted to GWT's forums but
> had no response as yet.
>
> Views anybody?
>
> Cheers,
>
> Mike
>
> On 24 March 2011 14:26, Tihomir Surdilovic <tsurdilo at redhat.com> wrote:
>
>> On 3/23/11 4:34 PM, Michael Anstis wrote:
>> > Has anybody experienced this in "Web"  mode?
>> Yes. When first reporting this I was running on JBoss AS 4.2.3.
>>
>> Thanks.
>> _______________________________________________
>> rules-dev mailing list
>> rules-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-dev
>>
>
>
> _______________________________________________
> rules-dev mailing list
> rules-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-dev
>
>

-- 
Michael D Neale
home: www.michaelneale.net
blog: michaelneale.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-dev/attachments/20110325/b724db36/attachment.html 