ICEfaces
  1. ICEfaces
  2. ICE-1366

Security: cross-site request forgery may be possible with XMLHttpRequest interaction

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.6DR#4
    • Fix Version/s: 1.6DR#6, 1.6
    • Component/s: Framework
    • Labels:
      None
    • Environment:
      all

      Description

      It may be possible to attack ICEfaces with cross-site request forgery techniques. The possible attack would proceed as follows:

        - user loads ICEfaces page
        - user loads attacking page
        - attacking page guesses viewNumber and submits bogus form to ICEfaces domain via javascript or user interaction
        - attacking page manipulates ICEfaces application because HTTP request automatically takes place within user's session

      The candidate fix is to require that icefacesID be included with every interaction over XMLHttpRequest. ICEfaces will reject any XMLHttpRequest operations that do not contain a valid icefacesID associated with the current session. The icefacesID must not be sent via cookies and it must not be guessable. The browser sandbox prevents frames other than the frame loaded from the ICEfaces page obtaining the icefacesID.

        Activity

        Hide
        Mircea Toma added a comment -

        Verify if 'icefacesID' parameter is valid (not just its presence).
        Commit #14011.

        Show
        Mircea Toma added a comment - Verify if 'icefacesID' parameter is valid (not just its presence). Commit #14011.
        Hide
        Mircea Toma added a comment -

        Add server filter to verify for 'icefacesID'.

        Show
        Mircea Toma added a comment - Add server filter to verify for 'icefacesID'.

          People

          • Assignee:
            Unassigned
            Reporter:
            Ted Goddard
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: