[ http://jira.codehaus.org/browse/CONTINUUM-838?page=all ]
Carlos Sanchez updated CONTINUUM-838: ------------------------------------- Fix Version/s: 1.1 > Cross Site Request Forgery protection > ------------------------------------- > > Key: CONTINUUM-838 > URL: http://jira.codehaus.org/browse/CONTINUUM-838 > Project: Continuum > Issue Type: Improvement > Components: Web interface > Affects Versions: 1.0.1, 1.0, 1.1, 1.0.2, 1.0.3 > Reporter: Christian Gruber > Priority: Critical > Fix For: 1.1 > > > XSRF vulnerabilities are very hard to fix. More details on them at > http://en.wikipedia.org/wiki/Cross-site_request_forgery with a key document > found at http://isecpartners.com/documents/XSRF_Paper.pdf which outlines a > solution. > In short, an XSRFProtectionToken is passed in each form in a hidden variable, > with the XSRFProtectionToken consisting of (pseudocode): > hash(sessionid + actionName + sitewide_secret); > The hash can be MD5 or SHA-1 or whatever. The important thing is that even > if a user is logged on with a valid sessionId, the attacker cannot know in > advance what the token will be without getting it out of an insecure browser > (in which case, you have other problems). Even if the attacker gets access > to a token for one action that's less security-risky (like invoking a build), > they cannot then replay that token against something more risky (such as > creating a new admin user). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira