Date: Mon, 1 Aug 2016 23:27:23 +0100 From: Dario Bertini <berdario@...il.com> To: oss-security@...ts.openwall.com Subject: CVE Request: CSRF in Grails console The Grails console (aka Grails Debug Console, Grails Web Console) was vulnerable to CSRF. https://grails.org/plugin/console https://github.com/sheehan/grails-console (this is the plugin, not to be confused with the command line grails console: http://docs.grails.org/3.1.1/ref/Command%20Line/console.html ) The fix has been made available in versions 1.5.10, 2.0.7. Versions up to 1.5.9 and 2.0.6 are affected. This allows an attacker to (create pages that when visited by a victim will) forge requests that will execute arbitrary groovy code on the backend (the documentation explains how to enable it in production, and granting access to administrators only, so this is not simply a development tool). Bug tracker: https://github.com/sheehan/grails-console/issues/54 fix commit: https://github.com/sheehan/grails-console/commit/155e0f5f0fe3b3bd7027d730fa00bf0655f28207 Could you allocate a CVE id for this? Thank you On a more general note to Grails programmers, Caveat Auditor: Unfortunately the Grails framework itself ships with some horribly insecure defaults. As of 3.1.9 the template code dropped by `grails create-app` will have a UrlMappings.groovy that will allow access to Grails controllers actions via any HTTP method. CSRF protection is also not enabled by default, and there's no documentation on how to enable it globally. Some deprecated builtin modules in widespread but old Grails versions (i.e. formRemote) also make it impossible to add csrf protection to the associated endpoints. On the bright side, Grails 3.1 added explicit rest mappings: http://docs.grails.org/latest/guide/theWebLayer.html#restfulMappings which makes it clearer which methods are allowed for every action, and harder to forget about it. Compare to allowedMethods http://docs.grails.org/latest/ref/Controllers/allowedMethods.html which can be distant tens/hundreds line of code from the actual controller-action they are protecting, and moreover can be easily forgotten in a new file, also because they aren't added by default when creating a controller with `grails create-controller` It's thus likely that you might find more csrf vulnerabilities in other open source plugins, as well as in your closed source applications.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ