You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@accumulo.apache.org by "Christopher Tubbs (JIRA)" <ji...@apache.org> on 2015/05/22 20:37:17 UTC

[jira] [Resolved] (ACCUMULO-3460) Monitor should not allow HTTP TRACE

     [ https://issues.apache.org/jira/browse/ACCUMULO-3460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christopher Tubbs resolved ACCUMULO-3460.
-----------------------------------------
       Resolution: Not A Problem
    Fix Version/s:     (was: 1.7.1)
                       (was: 1.8.0)
                       (was: 1.6.3)
         Assignee: Christopher Tubbs

It looks like this isn't a problem as of 1.6.1. Switching to Jetty 8 and 9 in ACCUMULO-2934 and ACCUMULO-2808, respectively, fixed the issue. Jetty 8 and later disable TRACE by default.

> Monitor should not allow HTTP TRACE
> -----------------------------------
>
>                 Key: ACCUMULO-3460
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3460
>             Project: Accumulo
>          Issue Type: Bug
>          Components: monitor
>    Affects Versions: 1.5.0, 1.5.1, 1.5.2, 1.6.0
>            Reporter: Sean Busbey
>            Assignee: Christopher Tubbs
>            Priority: Minor
>              Labels: security
>
> A Nessus scan pinged my test cluster because the Accumulo monitor allows HTTP TRACE requests. (ref: [an overview of the general problem class|http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf])
> The issue isn't bad unless
> * there's a same-origin-policy bypass for the user browser
> * there's an auth token we care about
> Exploits the bypass the same-origin-policy happen, so it's best to clean up server side if possible.
> The only auth tokens present in the Monitor are when we make use of the ShellServlet from ACCUMULO-196. We rely on the session state for auth, so there isn't a risk of leaking auth info directly, but we would leak the session id. 
> The CSRF added in ACCUMULO-2785 means just the session id wouldn't be enough for impersonation, but if an attacker can read one requested page we have to presume they can read another.
> We should clean up our configs to disallow HTTP TRACE as a proactive measure.
> Marking minor since an attack vector would need an enabling vulnerability on the client side.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)