oss-sec mailing list archives
CVE request for the Play Framework
From: David Black <dblack () atlassian com>
Date: Wed, 13 Jul 2016 11:25:58 +1000
In version 2.5.0 of the Play Framework a CSRF bypass that depends upon an implementation bug in chrome's beacon api[0][1] was fixed. The issue was that the Play Framework's CSRF implementation could be bypassed in chrome in certain situations using Beacon requests because the framework assumed that it is only possible to send what is considered a simple request cross-domain. In other words the framework assumed that POST requests with a content-type of application/x-www-form-urlencoded or text/plain or multipart/form-data need to have CSRF checks applied and requests with any other content-type need not be checked. The Beacon (sendBeacon) https://w3c.github.io/beacon/ implementation in chrome[0][1] currently allows requests to be sent cross-domain with non-simple content-types. That is, it is possible to send a post request with a content-type of "application/json" (or any arbitrary content type of an attacker's choice) from an attacker's site (e.g. https://attacker.com) to https://example.com in chrome through executing the following javascript: var payload = '{"key": "value"}'; navigator.sendBeacon('https://example.com', new Blob([payload], {type: 'application/json'})); The fix can be found at https://github.com/playframework/playframework/pull/5608 in commit 7e52bd5f37a4b7b8fd154551d31940a125d81054 (https://github.com/playframework/playframework/pull/5608/commits/7e52bd5f37a4b7b8fd154551d31940a125d81054). Can a CVE be assigned for this issue? [0] - https://bugs.chromium.org/p/chromium/issues/detail?id=490015#c8 [1] https://github.com/w3c/beacon/pull/23/ clarified when implementations of the Beacon API need to first make a CORS preflight request (when non-simple content-types are sent cross-domain using the beacon api then a CORS preflight request needs to be sent first). -- David Black / Security Engineer.
Current thread:
- CVE request for the Play Framework David Black (Jul 12)
- Re: CVE request for the Play Framework cve-assign (Jul 15)
- Re: CVE request for the Play Framework David Black (Jul 17)
- <Possible follow-ups>
- Re: CVE request for the Play Framework Will Sargent (Jul 20)
- Re: CVE request for the Play Framework cve-assign (Jul 15)