[ http://jira.codehaus.org/browse/CONTINUUM-838?page=all ]

Carlos Sanchez updated CONTINUUM-838:
-------------------------------------

    Fix Version/s: 1.1

> Cross Site Request Forgery protection
> -------------------------------------
>
>                 Key: CONTINUUM-838
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-838
>             Project: Continuum
>          Issue Type: Improvement
>          Components: Web interface
>    Affects Versions: 1.0.1, 1.0, 1.1, 1.0.2, 1.0.3
>            Reporter: Christian Gruber
>            Priority: Critical
>             Fix For: 1.1
>
>
> XSRF vulnerabilities are very hard to fix.  More details on them at 
> http://en.wikipedia.org/wiki/Cross-site_request_forgery with a key document 
> found at http://isecpartners.com/documents/XSRF_Paper.pdf which outlines a 
> solution.
> In short, an XSRFProtectionToken is passed in each form in a hidden variable, 
> with the XSRFProtectionToken consisting of (pseudocode): 
> hash(sessionid + actionName + sitewide_secret);
> The hash can be MD5 or SHA-1 or whatever.  The important thing is that even 
> if a user is logged on with a valid sessionId, the attacker cannot know in 
> advance what the token will be without getting it out of an insecure browser 
> (in which case, you have other problems).   Even if the attacker gets access 
> to a token for one action that's less security-risky (like invoking a build), 
> they cannot then replay that token against something more risky (such as 
> creating a new admin user).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Reply via email to