Details

    • Branch Version/s:
      6.0.x
    • Backported to Branch:
      Committed

      Description

      Although is Rest Proxy available only for logged in user, it allows remote sites attacks.

      Attacker can use it for hiding origin IP and attack web pages directly. It can be also reused for CSRF POST attacks on remote sites.

      I think the Rest Proxy could require some URL digest (accessible for portal/portlets using java API (API should not be accessible directly from browser)) that prevents unauthorized reuse.

      See LEP-5353 for rest proxy.

      Thank you.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 31 weeks ago