Agents
CSRF Vulnerability
Resolved
My security team has stated there's a Cross Site Request Forgery vulnerability in Yellowfin!
Also see our post on the CSRF Referer Validation here.
The same problem 
This can be mitigated by enabling our CSRF Filter in Yellowfin.
To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.
<filter> <filter-name>CSRFFilter</filter-name> <filter-class>com.hof.servlet.CSRFFilter</filter-class> <init-param> <param-name>AllowedEntry</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> <init-param> <param-name>Ignore</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.i4</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.This can be mitigated by enabling our CSRF Filter in Yellowfin.
To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.
<filter> <filter-name>CSRFFilter</filter-name> <filter-class>com.hof.servlet.CSRFFilter</filter-class> <init-param> <param-name>AllowedEntry</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> <init-param> <param-name>Ignore</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.i4</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.This can be mitigated by enabling our CSRF Filter in Yellowfin.
To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.
<filter> <filter-name>CSRFFilter</filter-name> <filter-class>com.hof.servlet.CSRFFilter</filter-class> <init-param> <param-name>AllowedEntry</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> <init-param> <param-name>Ignore</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.i4</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.This can be mitigated by enabling our CSRF Filter in Yellowfin.
To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.
<filter> <filter-name>CSRFFilter</filter-name> <filter-class>com.hof.servlet.CSRFFilter</filter-class> <init-param> <param-name>AllowedEntry</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> <init-param> <param-name>Ignore</param-name> <param-value>/info.jsp, /info_threads.jsp</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.i4</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.Replies have been locked on this page!