Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Aug 2016 23:27:23 +0100
From: Dario Bertini <berdario@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: CSRF in Grails console

The Grails console (aka Grails Debug Console, Grails Web Console) was
vulnerable to CSRF.

https://grails.org/plugin/console
https://github.com/sheehan/grails-console

(this is the plugin, not to be confused with the command line grails
console: http://docs.grails.org/3.1.1/ref/Command%20Line/console.html
)

The fix has been made available in versions 1.5.10, 2.0.7. Versions up
to 1.5.9 and 2.0.6 are affected.

This allows an attacker to (create pages that when visited by a victim
will) forge requests that will execute arbitrary groovy code on the
backend (the documentation explains how to enable it in production,
and granting access to administrators only, so this is not simply a
development tool).

Bug tracker: https://github.com/sheehan/grails-console/issues/54
fix commit: https://github.com/sheehan/grails-console/commit/155e0f5f0fe3b3bd7027d730fa00bf0655f28207

Could you allocate a CVE id for this?

Thank you

On a more general note to Grails programmers, Caveat Auditor:

Unfortunately the Grails framework itself ships with some horribly
insecure defaults. As of 3.1.9 the template code dropped by `grails
create-app` will have a UrlMappings.groovy that will allow access to
Grails controllers actions via any HTTP method. CSRF protection is
also not enabled by default, and there's no documentation on how to
enable it globally. Some deprecated builtin modules in widespread but
old Grails versions (i.e. formRemote) also make it impossible to add
csrf protection to the associated endpoints.

On the bright side, Grails 3.1 added explicit rest mappings:
http://docs.grails.org/latest/guide/theWebLayer.html#restfulMappings

which makes it clearer which methods are allowed for every action, and
harder to forget about it. Compare to allowedMethods
http://docs.grails.org/latest/ref/Controllers/allowedMethods.html
which can be distant tens/hundreds line of code from the actual
controller-action they are protecting, and moreover can be easily
forgotten in a new file, also because they aren't added by default
when creating a controller with `grails create-controller`

It's thus likely that you might find more csrf vulnerabilities in
other open source plugins, as well as in your closed source
applications.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.