Julian Reschke created JCR-4009:
-----------------------------------
Summary: CSRF in Jackrabbit-Webdav
Key: JCR-4009
URL: https://issues.apache.org/jira/browse/JCR-4009
Project: Jackrabbit Content Repository
Issue Type: Bug
Components: jackrabbit-webdav
Affects Versions: 2.13.2
Reporter: Julian Reschke
Assignee: Julian Reschke
The changes for JCR-4002 have disabled CRFS checking for POST, and thus leave
the remoting servlet open for attacks. This HTML form below:
{noformat}
<form action="http://localhost:8080/server/default/jcr:root/"; method="post">
<input type="text" id="name" name="user_name" />
<button type="submit">Send your message</button>
</form>
{noformat}
will successfully cross-origin-POST to jackrabbit-standalone.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
