Web services accessible without authentication

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 6.0.6 GA, 6.0.12 EE, 6.1.0 CE GA1, 6.1.10 EE GA1
Fix Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2, 6.0.X EE, --Sprint 11/12, 6.2.0 CE M2
Component/s: API, API > Portal Service, Security
Labels:
None

Similar Issues:

Show 5 results

Description

By carefully constructing a HTTP POST request, an attacker can execute any of the portal's web services. This vulnerability allows the attacker to circumvent both the permission system and the protection provided by the SecureFilter's portal properties:

xxx.servlet.hosts.allowed
xxx.servlet.https.required

Activity

Hide

Permalink

Samuel Kong added a comment - 04/Jul/12 2:28 AM

The code for this ticket was committed under LPS-27046, LPS-27101, LPS-27102.

Show

Samuel Kong added a comment - 04/Jul/12 2:28 AM The code for this ticket was committed under LPS-27046, LPS-27101, LPS-27102.

People

Assignee:

SE Support

Reporter:

Samuel Kong

Participants of an Issue:

Samuel Kong, SE Support

Vote (0)

Watch (0)

Dates

Created:

04/Jul/12 2:27 AM

Updated:

08/Feb/13 4:34 PM

Resolved:

04/Jul/12 2:30 AM

Days since last comment:

46 weeks ago

Agile

View on Board

~~LPS-26935~~	All JSON web services are accessible without authentication.
~~LPS-29930~~	Create authentication endpoints for web services authentication process
~~LPS-27888~~	Split web service authentication into verification process and authentication process
~~LPS-30202~~	JSON Web Services authentication issues and inconsistency
~~LPS-26803~~	Introduce a layer for web service access security