777747 – (SOA-262) jBPM GPD requires http://127.0.0.1:8080/jbpm-console/upload/ to not require username/password authentication

Bug 777747 (SOA-262) - jBPM GPD requires http://127.0.0.1:8080/jbpm-console/upload/ to not require username/password authentication

Summary: jBPM GPD requires http://127.0.0.1:8080/jbpm-console/upload/ to not require ...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	SOA-262
Product:	JBoss Enterprise SOA Platform 4
Classification:	JBoss
Component:	Security
Sub Component:
Version:	4.2 Beta 1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.2 CR2
Assignee:	Mike Brock
QA Contact:
Docs Contact:
URL:	http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On:
Blocks:	SOA-327 SOA-515
TreeView+	depends on / blocked

Reported:	2008-01-02 20:50 UTC by Len DiMaggio
Modified:	2013-06-17 05:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:	standalone-soa-4.2.0.beta1.zip soa-4.2.0.beta1.zip
Last Closed:	2008-02-04 16:30:51 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	777750	0	urgent	CLOSED	JBPM events can execute arbitrary code	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	SOA-262	0	Major	Closed	jBPM GPD requires http://127.0.0.1:8080/jbpm-console/upload/ to not require username/password authentication	2012-08-24 10:42:10 UTC

Internal Links: 777750

Description Len DiMaggio 2008-01-02 20:50:32 UTC

Link type: Superset, Source: SOA-262, Destination: SOA-270
Affects: Documentation (Ref Guide, User Guide, etc.)
Date of First Response: 2008-01-14 20:13:54
project_key: SOA

Marc Schoenefeld pointed this out ot me today:

Do you know why the GUI access to the JBPM console over http://127.0.0.1:8080/jbpm-console/ is protected with
form-based authentication, whereas the upload via http://127.0.0.1:8080/jbpm-console/upload/ is not?

Comment 2 Len DiMaggio 2008-01-03 18:29:59 UTC

Link: Added: This issue related SOA-265

Comment 3 Mark Little 2008-01-07 21:59:23 UTC

Link: Added: This issue incorporates SOA-270

Comment 4 Len DiMaggio 2008-01-08 02:35:23 UTC

Link: Added: This issue is related to SOA-265

Comment 5 Len DiMaggio 2008-01-08 02:35:46 UTC

Link: Removed: This issue is related to SOA-265

Comment 6 Mike Brock 2008-01-15 01:13:54 UTC

I'm not sure.  It would seem pretty bad to me.  One could potentially do some pretty nasty stuff, such as filling up a hard drive with, random frivolous uploads.  Such a hole wouldn't even pass a sniff-test by most companies serious about security, so I think this needs to be escalated into jBPM itself. 

This is a pretty serious problem.

Is there a related jBPM JIRA open yet, if there isn't, there should be.

Comment 7 Mark Little 2008-01-15 08:13:11 UTC

Yes, SOA-265.

Comment 8 Mark Little 2008-01-15 14:38:37 UTC

Link: Added: This issue is a dependency of SOA-327

Comment 9 Joshua Wulf 2008-01-15 17:20:14 UTC

Affects: Added: [Documentation (Ref Guide, User Guide, etc.)]

Comment 10 Mike Brock 2008-01-25 19:25:59 UTC

fixed in trunk

Comment 12 Len DiMaggio 2008-04-15 17:52:49 UTC

Link: Added: This issue is a dependency of SOA-515

Comment 13 Thomas Diesler 2009-02-07 10:45:52 UTC

Link: Added: This issue is related to JBPM-1958

Note You need to log in before you can comment on or make changes to this bug.