Uploaded image for project: 'Jackrabbit Content Repository'
  1. Jackrabbit Content Repository
  2. JCR-4009

CSRF in Jackrabbit-Webdav (CVE-2016-6801)

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      The changes for JCR-4002 have disabled CSRF checking for POST, and thus leave the remoting servlet open for attacks. This HTML form below:

      <form action="http://localhost:8080/server/default/jcr:root/" method="post">
          <input type="text" id="name" name="user_name" />
          <button type="submit">Send your message</button>
          </form>
      

      will successfully cross-origin-POST to jackrabbit-standalone.

      While fixing this issue, it also became clear that the content-type check failed to take syntax variations into account (upper/lowercase, optional parameters)

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            reschke Julian Reschke
            reschke Julian Reschke
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment