Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Aug 2016 23:27:23 +0100
From: Dario Bertini <>
Subject: CVE Request: CSRF in Grails console

The Grails console (aka Grails Debug Console, Grails Web Console) was
vulnerable to CSRF.

(this is the plugin, not to be confused with the command line grails

The fix has been made available in versions 1.5.10, 2.0.7. Versions up
to 1.5.9 and 2.0.6 are affected.

This allows an attacker to (create pages that when visited by a victim
will) forge requests that will execute arbitrary groovy code on the
backend (the documentation explains how to enable it in production,
and granting access to administrators only, so this is not simply a
development tool).

Bug tracker:
fix commit:

Could you allocate a CVE id for this?

Thank you

On a more general note to Grails programmers, Caveat Auditor:

Unfortunately the Grails framework itself ships with some horribly
insecure defaults. As of 3.1.9 the template code dropped by `grails
create-app` will have a UrlMappings.groovy that will allow access to
Grails controllers actions via any HTTP method. CSRF protection is
also not enabled by default, and there's no documentation on how to
enable it globally. Some deprecated builtin modules in widespread but
old Grails versions (i.e. formRemote) also make it impossible to add
csrf protection to the associated endpoints.

On the bright side, Grails 3.1 added explicit rest mappings:

which makes it clearer which methods are allowed for every action, and
harder to forget about it. Compare to allowedMethods
which can be distant tens/hundreds line of code from the actual
controller-action they are protecting, and moreover can be easily
forgotten in a new file, also because they aren't added by default
when creating a controller with `grails create-controller`

It's thus likely that you might find more csrf vulnerabilities in
other open source plugins, as well as in your closed source

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ