Bug 1373347 (CVE-2016-7034) - CVE-2016-7034 Dashbuilder: insecure handling of CSRF token
Summary: CVE-2016-7034 Dashbuilder: insecure handling of CSRF token
Status: CLOSED ERRATA
Alias: CVE-2016-7034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160906,repor...
Keywords: Reopened, Security
Depends On: 1469742 1469743
Blocks: 1386400 1429673 1521173
TreeView+ depends on / blocked
 
Reported: 2016-09-06 05:03 UTC by Jeremy Choi
Modified: 2019-06-08 21:25 UTC (History)
16 users (show)

(edit)
It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, referrers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully.
Clone Of:
(edit)
Last Closed: 2018-08-07 15:14:32 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0557 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security update 2017-03-17 01:09:43 UTC
Red Hat Product Errata RHSA-2018:0296 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization 6.4 security update 2018-02-13 20:48:28 UTC

Description Jeremy Choi 2016-09-06 05:03:41 UTC
It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, Referers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully.

Comment 1 Jeremy Choi 2016-09-06 05:03:54 UTC
Acknowledgments:

Name: Jeremy Choi (Red Hat Product Security Team)

Comment 3 David Gutierrez 2016-12-29 13:13:45 UTC
@Jeremy  Just to clarify,

1.- Any csrf attack, requires the user to be logged. Once logged the user can only get access to the pages he has been granted to (according to the permissions assigned to every page). That means, no matter what csrf token you use, the system will reject non granted requests.

2.- The above is not feasible according to #1. Also, the way the csrf protection is implemented, only the tokens generated throughout an active session can be used within the same session. So that means, if another user logs in and tries to use an old token an error is displayed.

If you still consider this an issue, can you please provide a reproducer? 

As for, the visibility of tokens, hiding them it's not an easy task as we would need to change the way urls are generated and processed throughout the entire tooling. So, honestly, I'd leave this as that.

- David -

Comment 6 errata-xmlrpc 2017-03-16 21:10:09 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.4.2

Via RHSA-2017:0557 https://rhn.redhat.com/errata/RHSA-2017-0557.html

Comment 9 errata-xmlrpc 2018-02-13 15:48:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization

Via RHSA-2018:0296 https://access.redhat.com/errata/RHSA-2018:0296


Note You need to log in before you can comment on or make changes to this bug.