Uploaded image for project: 'Jackrabbit Content Repository'
  1. Jackrabbit Content Repository
  2. JCR-4009

CSRF in Jackrabbit-Webdav (CVE-2016-6801)

    XMLWordPrintableJSON

Details

    Description

      The changes for JCR-4002 have disabled CSRF checking for POST, and thus leave the remoting servlet open for attacks. This HTML form below:

      <form action="http://localhost:8080/server/default/jcr:root/" method="post">
          <input type="text" id="name" name="user_name" />
          <button type="submit">Send your message</button>
          </form>
      

      will successfully cross-origin-POST to jackrabbit-standalone.

      While fixing this issue, it also became clear that the content-type check failed to take syntax variations into account (upper/lowercase, optional parameters)

      Attachments

        1. CVE-2016-6801.txt
          2 kB
          Julian Reschke
        2. JCR-4009.diff
          14 kB
          Julian Reschke

        Issue Links

          Activity

            People

              reschke Julian Reschke
              reschke Julian Reschke
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: