Uploaded image for project: 'Jackrabbit Content Repository'
  1. Jackrabbit Content Repository
  2. JCR-4009

CSRF in Jackrabbit-Webdav (CVE-2016-6801)

    XMLWordPrintableJSON

    Details

      Description

      The changes for JCR-4002 have disabled CSRF checking for POST, and thus leave the remoting servlet open for attacks. This HTML form below:

      <form action="http://localhost:8080/server/default/jcr:root/" method="post">
          <input type="text" id="name" name="user_name" />
          <button type="submit">Send your message</button>
          </form>
      

      will successfully cross-origin-POST to jackrabbit-standalone.

      While fixing this issue, it also became clear that the content-type check failed to take syntax variations into account (upper/lowercase, optional parameters)

        Attachments

        1. CVE-2016-6801.txt
          2 kB
          Julian Reschke
        2. JCR-4009.diff
          14 kB
          Julian Reschke

          Issue Links

            Activity

              People

              • Assignee:
                reschke Julian Reschke
                Reporter:
                reschke Julian Reschke
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: