Re: [rules-dev] Guvnor XSRF attack?
I recall there was some analysis done on general vulnerabilities by the Red
Hat security team - the main concern I remember wasn't XSRF but variants on
XSS. Even then - the real concern was that there was/is dynamic code
executed which comes from the client (could allow for elevated priviledges).
I think the general agreement at the time was that usage on more public
networks with less trusted users was not going to be recommended anyway.
But XSRF does seem more serious - if you can eliminate that class of attack
then you are left with users who the system already trusts (has to - they
are writing rules).
On Fri, Mar 25, 2011 at 1:34 AM, Michael Anstis <michael.anstis(a)gmail.com>wrote:
So, realistically we can expect our users to notice the hick-up at
some
stage with 5.2.0 (or GWT2.1+ in reality).
Should we consider an emergency game-plan should a fix not be found prior
to release? e.g. Remove XSRF protection short-term. It doesn't leave Guvnor
any more exposed than we were pre-GWT2.1). I've posted to GWT's forums but
had no response as yet.
Views anybody?
Cheers,
Mike
On 24 March 2011 14:26, Tihomir Surdilovic <tsurdilo(a)redhat.com> wrote:
> On 3/23/11 4:34 PM, Michael Anstis wrote:
> > Has anybody experienced this in "Web" mode?
> Yes. When first reporting this I was running on JBoss AS 4.2.3.
>
> Thanks.
> _______________________________________________
> rules-dev mailing list
> rules-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-dev
>
_______________________________________________
rules-dev mailing list
rules-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-dev
--
Michael D Neale
home: www.michaelneale.net
blog: michaelneale.blogspot.com
Attachments:
- attachment.html (text/html — 2.7 KB)