The pcsd web UI is vulnerable to Cross-Site Request Forgery (CSRF). A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources, restarting/removing nodes, etc.
Each request includes 'X-Requested-With: XMLHttpRequest' but this header is not checked server side.
Name: Martin Prpic (Red Hat Product Security)
This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 6, as the web UI functionality is disabled by default in pcsd.
Created pcs tracking bugs for this issue:
Affects: fedora-all [bug 1308827]
pcs-0.9.149-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
pcs-0.9.149-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:2596 https://rhn.redhat.com/errata/RHSA-2016-2596.html