[JCR-4009] CSRF in Jackrabbit-Webdav (CVE-2016-6801) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.4.5, 2.6.5, 2.8.2, 2.10.3, 2.12.3, 2.13.2
Fix Version/s: 2.4.6, 2.6.6, 2.12.4, 2.10.4, 2.13.3, 2.8.3, 2.14
Component/s: jackrabbit-webdav
Labels:
- csrf
- security
- webdav

Description

The changes for ~~JCR-4002~~ have disabled CSRF checking for POST, and thus leave the remoting servlet open for attacks. This HTML form below:

<form action="http://localhost:8080/server/default/jcr:root/" method="post">
    <input type="text" id="name" name="user_name" />
    <button type="submit">Send your message</button>
    </form>

will successfully cross-origin-POST to jackrabbit-standalone.

While fixing this issue, it also became clear that the content-type check failed to take syntax variations into account (upper/lowercase, optional parameters)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

CVE-2016-6801.txt
14/Sep/16 12:36
2 kB
Julian Reschke
JCR-4009.diff
31/Aug/16 11:40
14 kB
Julian Reschke

Issue Links

is broken by

JCR-4002 CSRF in Jackrabbit-Webdav using empty content-type (CVE-2016-6801)

Closed

Activity

People

Assignee:: Julian Reschke

Reporter:: Julian Reschke

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 30/Aug/16 12:48

Updated:: 10/Nov/16 09:13

Resolved:: 31/Aug/16 13:16