Jackrabbit Content Repository
  1. Jackrabbit Content Repository
  2. JCR-3036

WebDAV/DaveX Servlets susceptible to CSRF Attacks

    Details

      Description

      Both the WebDAV and the remoting (DaveX) servlets are susceptible to CSRF attacks.

        Activity

        Lars Krapf created issue -
        Lars Krapf made changes -
        Field Original Value New Value
        Attachment jackrabbit-webdav-csrf-patch.txt [ 12488085 ]
        Hide
        Lars Krapf added a comment -

        Attached a possible patch.

        Show
        Lars Krapf added a comment - Attached a possible patch.
        angela made changes -
        Assignee angela [ anchela ]
        Hide
        angela added a comment -

        thanks for the patch. i will take a look at it as soon as possible.

        Show
        angela added a comment - thanks for the patch. i will take a look at it as soon as possible.
        angela made changes -
        Fix Version/s 2.3.0 [ 12315901 ]
        Component/s jackrabbit-webapp [ 12311584 ]
        Hide
        angela added a comment -

        applied patch with minor modifications and added tests

        Show
        angela added a comment - applied patch with minor modifications and added tests
        angela made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Julian Reschke added a comment -

        I think this is very misleading.

        A CSRF attack requires the server to accept POST requests with content type form-data.

        Show
        Julian Reschke added a comment - I think this is very misleading. A CSRF attack requires the server to accept POST requests with content type form-data.
        Jukka Zitting made changes -
        Fix Version/s 2.2.8 [ 12316518 ]
        Fix Version/s 2.3.0 [ 12315901 ]
        Jukka Zitting made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        1d 4h 49m 1 angela 29/Jul/11 16:17
        Resolved Resolved Closed Closed
        55d 23h 10m 1 Jukka Zitting 23/Sep/11 15:27

          People

          • Assignee:
            angela
            Reporter:
            Lars Krapf
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development