Details

    • Branch Version/s:
      6.0.x
    • Backported to Branch:
      Committed
    • Similar Issues:
      Show 3 results 

      Description

      Although is Rest Proxy available only for logged in user, it allows remote sites attacks.

      Attacker can use it for hiding origin IP and attack web pages directly. It can be also reused for CSRF POST attacks on remote sites.

      I think the Rest Proxy could require some URL digest (accessible for portal/portlets using java API (API should not be accessible directly from browser)) that prevents unauthorized reuse.

      See LEP-5353 for rest proxy.

      Thank you.

        Issue Links

          Activity

          Hide
          Tomáš Polešovský added a comment -

          I'm sorry, of course it can't be used for CSRF attacks

          But if you know IP addresses/host names of some DMZ server then you can access company's infrastructure (e.g. company's intranet pages).

          Thanks for fixing!

          Show
          Tomáš Polešovský added a comment - I'm sorry, of course it can't be used for CSRF attacks But if you know IP addresses/host names of some DMZ server then you can access company's infrastructure (e.g. company's intranet pages). Thanks for fixing!
          Hide
          Samuel Kong added a comment -

          1. Sign in
          2. http://localhost:8080/c/portal/rest_proxy?url=http://www.example.com

          This should no longer work unless the domain is listed in the property "rest.proxy.allowed.domains"

          Show
          Samuel Kong added a comment - 1. Sign in 2. http://localhost:8080/c/portal/rest_proxy?url=http://www.example.com This should no longer work unless the domain is listed in the property "rest.proxy.allowed.domains"
          Hide
          Michael Hashimoto added a comment -

          PASSED Manual Testing following the steps in the comment.

          Reproduced on:
          Tomcat 6.0 + MySQL 5. 6.0.x Revision 85693.

          Fixed on:
          Tomcat 6.0 + MySQL 5. 6.1.x Revision 85888.
          Tomcat 6.0 + MySQL 5. 6.0.x Revision 85888.
          Tomcat 6.0 + MySQL 5. 6.0.x Revision 85694.

          Show
          Michael Hashimoto added a comment - PASSED Manual Testing following the steps in the comment. Reproduced on: Tomcat 6.0 + MySQL 5. 6.0.x Revision 85693. Fixed on: Tomcat 6.0 + MySQL 5. 6.1.x Revision 85888. Tomcat 6.0 + MySQL 5. 6.0.x Revision 85888. Tomcat 6.0 + MySQL 5. 6.0.x Revision 85694.
          Hide
          Vicki Tsang added a comment -

          This is being bulk closed in preparation for the new workflow.

          Show
          Vicki Tsang added a comment - This is being bulk closed in preparation for the new workflow.
          Hide
          Jelmer Kuperus added a comment -

          The fix for this is not sufficient. I created issue LPS-27403 for this

          Show
          Jelmer Kuperus added a comment - The fix for this is not sufficient. I created issue LPS-27403 for this

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 41 weeks, 1 day ago

                Development

                  Structure Helper Panel