It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, Referers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully.
Acknowledgments: Name: Jeremy Choi (Red Hat Product Security Team)
@Jeremy Just to clarify, 1.- Any csrf attack, requires the user to be logged. Once logged the user can only get access to the pages he has been granted to (according to the permissions assigned to every page). That means, no matter what csrf token you use, the system will reject non granted requests. 2.- The above is not feasible according to #1. Also, the way the csrf protection is implemented, only the tokens generated throughout an active session can be used within the same session. So that means, if another user logs in and tries to use an old token an error is displayed. If you still consider this an issue, can you please provide a reproducer? As for, the visibility of tokens, hiding them it's not an easy task as we would need to change the way urls are generated and processed throughout the entire tooling. So, honestly, I'd leave this as that. - David -
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.4.2 Via RHSA-2017:0557 https://rhn.redhat.com/errata/RHSA-2017-0557.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization Via RHSA-2018:0296 https://access.redhat.com/errata/RHSA-2018:0296