I recall there was some analysis done on general vulnerabilities by the Red Hat security team - the main concern I remember wasn't XSRF but variants on XSS. Even then - the real concern was that there was/is dynamic code executed which comes from the client (could allow for elevated priviledges). I think the general agreement at the time was that usage on more public networks with less trusted users was not going to be recommended anyway. <div>
<br></div><div>But XSRF does seem more serious - if you can eliminate that class of attack then you are left with users who the system already trusts (has to - they are writing rules). <br><br><div class="gmail_quote">On Fri, Mar 25, 2011 at 1:34 AM, Michael Anstis <span dir="ltr"><<a href="mailto:michael.anstis@gmail.com">michael.anstis@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">So, realistically we can expect our users to notice the hick-up at some stage with 5.2.0 (or GWT2.1+ in reality).<br><br>
Should we consider an emergency game-plan should a fix not be found prior to release? e.g. Remove XSRF protection short-term. It doesn't leave Guvnor any more exposed than we were pre-GWT2.1). I've posted to GWT's forums but had no response as yet.<br>
<br>Views anybody?<br><br>Cheers,<br><br>Mike<br><br><div class="gmail_quote">On 24 March 2011 14:26, Tihomir Surdilovic <span dir="ltr"><<a href="mailto:tsurdilo@redhat.com" target="_blank">tsurdilo@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"><div class="im"><div>On 3/23/11 4:34 PM, Michael Anstis wrote:<br>
> Has anybody experienced this in "Web" mode?<br>
</div></div>Yes. When first reporting this I was running on JBoss AS 4.2.3.<br>
<br>
Thanks.<br>
_______________________________________________<br>
rules-dev mailing list<br>
<a href="mailto:rules-dev@lists.jboss.org" target="_blank">rules-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-dev</a><br>
</blockquote></div><br>
<br>_______________________________________________<br>
rules-dev mailing list<br>
<a href="mailto:rules-dev@lists.jboss.org">rules-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-dev</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Michael D Neale<br>home: <a href="http://www.michaelneale.net">www.michaelneale.net</a><br>blog: <a href="http://michaelneale.blogspot.com">michaelneale.blogspot.com</a><br>
</div>