Bug 777754 (SOA-270)

Summary: JBPM upload servlet allows unauthorized process upload in production setup
Product: [JBoss] JBoss Enterprise SOA Platform 4 Reporter: Marc Schoenefeld <mschoene>
Component: JBPM - within SOA, SecurityAssignee: Mike Brock <cbrock>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.2 Beta 1CC: rruss
Target Milestone: ---   
Target Release: 4.2 CR3   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-270
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
10:15:48,280 INFO [Server] Starting JBoss (MX MicroKernel)... 10:15:48,280 INFO [Server] Release ID: JBoss [EAP] 4.3.0.GA (build: SVNTag=JBPAPP_4_3_0_GA date=200712141443) 10:15:48,282 INFO [Server] Home Dir: /NotBackedUp/software/soabeta1/jboss-soa-p.4.2.0/jboss-as 10:15:48,282 INFO [Server] Home URL: file:/NotBackedUp/software/soabeta1/jboss-soa-p.4.2.0/jboss-as/ 10:15:48,282 INFO [Server] Patch URL: null 10:15:48,282 INFO [Server] Server Name: production
Last Closed: 2008-02-04 16:31:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 777801, 777819, 777988, 778027    

Description Marc Schoenefeld 2008-01-04 09:24:11 UTC 
Affects: Compatibility/Configuration
Complexity: Low
Date of First Response: 2008-01-08 01:49:25
Workaround: Workaround Exists
Workaround Description: Fix web.xml in production setup
project_key: SOA

http://127.0.0.1:8080/jbpm-console/upload/ is not protected by authentication constraints.

It can be reached without authorization in production setup. This can be misused by
attackers to inject (replace?) process definitions (that may contain code, as in
http://jira.jboss.com/jira/browse/SOA-265 ).
Comment 1 Mark Little 2008-01-07 21:59:23 UTC 
Link: Added: This issue is incorporated by SOA-262
Comment 2 Len DiMaggio 2008-01-08 02:36:28 UTC 
Link: Added: This issue related SOA-265
Comment 3 Tom Baeyens 2008-01-08 06:49:25 UTC 
what am i supposed to do about this ?

this is intended behaviour in the jbpm project download.
Comment 4 Tom Baeyens 2008-01-08 13:19:22 UTC 
as said before, this should be addressed in the web.xml
Comment 5 Mike Brock 2008-01-10 03:23:22 UTC 
fixed in trunk.
Comment 6 Len DiMaggio 2008-01-21 17:51:58 UTC 
Modified fixed in field to match soa-262,soa-265
Comment 9 Len DiMaggio 2008-01-23 21:37:10 UTC 
Link: Added: This issue is a dependency of SOA-345
Comment 10 Len DiMaggio 2008-02-04 16:18:20 UTC 
Link: Added: This issue is a dependency of SOA-327
Comment 11 Len DiMaggio 2008-02-04 16:31:06 UTC 
Closing this JIRA - resolution is as described in:
    http://jira.jboss.com/jira/browse/SOA-327#action_12397644

Summary:
   For standalone server, default configuration exposes /upload servlet
   For embedded server, all configuration exposes /upload servlet
   For embedded server, production configuration does not expose /up;load servlet

jBPM User guide inlcudes instructions to expose or not expose /upload servlet

Standalone and embedded server .zip files both inlcude /tools/resources dir with these files:

-rw-r--r-- 1 ldimaggi ldimaggi 723723 Feb 3 16:25 jbpm-console-development.war
-rw-r--r-- 1 ldimaggi ldimaggi 723724 Feb 3 16:25 jbpm-console-production.war

This solution closes SOA-262, SOA-265, SOA-270
Comment 12 Len DiMaggio 2008-04-15 17:52:48 UTC 
Link: Added: This issue is a dependency of SOA-515
Comment 13 Len DiMaggio 2008-06-16 13:42:33 UTC 
Link: Added: This issue is a dependency of SOA-550
Comment 14 Len DiMaggio 2009-11-10 17:40:39 UTC 
Link: Added: This issue related SOA-1586