Uploaded image for project: 'Pentaho BA Platform'
  1. Pentaho BA Platform
  2. BISERVER-13207

CSRF Protection Built into Pentaho Application

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open
    • Severity: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Security
    • Labels:
      None
    • Story Points:
      0
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.

      Description

      The Business Analytics application is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This behavior also affects the plugin functionality. Because of this vulnerability attackers can let users perform actions on their behalf. Attackers for example can potentially upload files, delete files, create queries, modify queries or delete them.

      More information about CSRF attacks can be found at the below link:

      https://www.owasp.org/index.php/Cross-Site_Request_Forgery

      In research of additional JIRAs and ESR cases specific to CSRF vulnerability, there was an understanding that a CSRF filter in Tomcat version 7 and above (and possibly the most updated versions of Tomcat 6) could get around this issue. However, simply enabling that filter in Tomcat does not provide full protection for the Pentaho platform, and additionally, would not be able to address the security concern for customers who work on supported JBoss EAP application servers which do not have a similar filter readily available at this time.

      Customers require that a feature be built in to the software to directly protect the Pentaho application from this type of vulnerability that is a viable solution for all supported platforms.

      A suggestion from the same source linked above as to potential preventive measures that could be researched for the purposes of creating a solution for Pentaho can be found at this link:

      https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet

        Attachments

        1. screenshot-1.png
          screenshot-1.png
          30 kB
        2. screenshot-2.png
          screenshot-2.png
          8 kB
        3. screenshot-3.png
          screenshot-3.png
          16 kB
        4. screenshot-4.png
          screenshot-4.png
          14 kB
        5. screenshot-5.png
          screenshot-5.png
          14 kB
        6. screenshot-6.png
          screenshot-6.png
          9 kB

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              sbaker Steve Baker (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              27 Start watching this issue

                Dates

                Created:
                Updated: