Hide Forgot
Affects: Compatibility/Configuration Complexity: Low Date of First Response: 2008-01-08 01:49:25 Workaround: Workaround Exists Workaround Description: Fix web.xml in production setup project_key: SOA http://127.0.0.1:8080/jbpm-console/upload/ is not protected by authentication constraints. It can be reached without authorization in production setup. This can be misused by attackers to inject (replace?) process definitions (that may contain code, as in http://jira.jboss.com/jira/browse/SOA-265 ).
Link: Added: This issue is incorporated by SOA-262
Link: Added: This issue related SOA-265
what am i supposed to do about this ? this is intended behaviour in the jbpm project download.
as said before, this should be addressed in the web.xml
fixed in trunk.
Modified fixed in field to match soa-262,soa-265
Link: Added: This issue is a dependency of SOA-345
Link: Added: This issue is a dependency of SOA-327
Closing this JIRA - resolution is as described in: http://jira.jboss.com/jira/browse/SOA-327#action_12397644 Summary: For standalone server, default configuration exposes /upload servlet For embedded server, all configuration exposes /upload servlet For embedded server, production configuration does not expose /up;load servlet jBPM User guide inlcudes instructions to expose or not expose /upload servlet Standalone and embedded server .zip files both inlcude /tools/resources dir with these files: -rw-r--r-- 1 ldimaggi ldimaggi 723723 Feb 3 16:25 jbpm-console-development.war -rw-r--r-- 1 ldimaggi ldimaggi 723724 Feb 3 16:25 jbpm-console-production.war This solution closes SOA-262, SOA-265, SOA-270
Link: Added: This issue is a dependency of SOA-515
Link: Added: This issue is a dependency of SOA-550
Link: Added: This issue related SOA-1586