ICEfaces
  1. ICEfaces
  2. ICE-1366

Security: cross-site request forgery may be possible with XMLHttpRequest interaction

          Details

          • Type: Improvement Improvement
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: 1.6DR#4
          • Fix Version/s: 1.6DR#6, 1.6
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            all

            Description

            It may be possible to attack ICEfaces with cross-site request forgery techniques. The possible attack would proceed as follows:

              - user loads ICEfaces page
              - user loads attacking page
              - attacking page guesses viewNumber and submits bogus form to ICEfaces domain via javascript or user interaction
              - attacking page manipulates ICEfaces application because HTTP request automatically takes place within user's session

            The candidate fix is to require that icefacesID be included with every interaction over XMLHttpRequest. ICEfaces will reject any XMLHttpRequest operations that do not contain a valid icefacesID associated with the current session. The icefacesID must not be sent via cookies and it must not be guessable. The browser sandbox prevents frames other than the frame loaded from the ICEfaces page obtaining the icefacesID.

              Activity

              Ascending order - Click to sort in descending order
              Ted Goddard created issue -
              Ken Fyten made changes -
              Field Original Value New Value
              Estimated Complexity Low
              Fix Version/s 1.6DR#3 [ 10050 ]
              Assignee Mircea Toma [ mircea.toma ]
              Ken Fyten made changes -
              Assignee Priority P3
              Ken Fyten made changes -
              Fix Version/s 1.6 [ 10031 ]
              Fix Version/s 1.6DR#3 [ 10050 ]
              Affects Version/s 1.5.3 [ 10030 ]
              Affects Version/s 1.6DR#2 [ 10040 ]
              Ken Fyten made changes -
              Fix Version/s 1.6DR#4 [ 10060 ]
              Fix Version/s 1.6 [ 10031 ]
              Assignee Priority P3 P2
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #13649 Thu Apr 26 11:27:15 MDT 2007 mircea.toma Verify if 'icefaceID' is present ICE-1366.
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/servlet/MainSessionBoundServlet.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/servlet/ServletRequestResponse.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/common/RequestProxy.java
              Commit graph ADD /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/core/IDVerifier.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/common/Request.java
              Hide
              Permalink
              Mircea Toma added a comment -

              Add server filter to verify for 'icefacesID'.

              Show
              Mircea Toma added a comment - Add server filter to verify for 'icefacesID'.
              Mircea Toma made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ted Goddard made changes -
              Resolution Fixed [ 1 ]
              Status Resolved [ 5 ] Reopened [ 4 ]
              Ted Goddard made changes -
              Fix Version/s 1.6 [ 10031 ]
              Fix Version/s 1.6DR#4 [ 10060 ]
              Affects Version/s 1.6DR#4 [ 10060 ]
              Affects Version/s 1.5.3 [ 10030 ]
              Ken Fyten made changes -
              Assignee Priority P2 P1
              Hide
              Permalink
              Mircea Toma added a comment -

              Verify if 'icefacesID' parameter is valid (not just its presence).
              Commit #14011.

              Show
              Mircea Toma added a comment - Verify if 'icefacesID' parameter is valid (not just its presence). Commit #14011.
              Mircea Toma made changes -
              Status Reopened [ 4 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Issue Type Bug [ 1 ] Improvement [ 4 ]
              Ken Fyten made changes -
              Fix Version/s 1.6DR#6 [ 10090 ]
              Fix Version/s 1.6 [ 10031 ]
              Ken Fyten made changes -
              Fix Version/s 1.6 [ 10031 ]
              Ken Fyten made changes -
              Security Private [ 10001 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]
              Assignee Priority P1
              Assignee Mircea Toma [ mircea.toma ]

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  Ted Goddard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: