Bug 967908

Summary: WebDAV is accessible cross-domain
Product: [Community] PressGang CCMS Reporter: Trevor Jay <tjay>
Component: Web-UIAssignee: pressgang-ccms-dev
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.1CC: lnewson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-01 04:15:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trevor Jay 2013-05-28 14:36:34 UTC 
Description of problem:

The WebDAV interface returns a:

Access-Control-Allow-Origin: *

header. 

How reproducible:

always.

Steps to Reproduce:
1. From a bash shell with netcat installed as nc, access the WebDAV interface with the following one-liner:

echo -e "PROPFIND /pressgang-ccms/webdav/ HTTP/1.1\r\nHost: skynet.usersys.redhat.com:8080\r\nDepth: 1\r\nContent-Type: application/xml\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\n<propfind xmlns="DAV:"><prop>\n<getcontentlength xmlns="DAV:"/>\n<getlastmodified xmlns="DAV:"/>\n<executable xmlns="http://apache.org/dav/props/"/>\n<resourcetype xmlns="DAV:"/>\n<checked-in xmlns="DAV:"/>\n<checked-out xmlns="DAV:"/>\n</prop></propfind>\r\n\r\n" | nc skynet.usersys.redhat.com 8080


Actual results:

Receive the "directory" listing (as expected) with a:

Access-Control-Allow-Origin: *

header.

Expected results:

Receive the "directory" listing with headers that would appropriately block cross-site access.

Additional info:

Some browsers allow calls to methods such as PROPFIND. Combined with this header behavior there is the potential for JavaScript access to the WebDAV interface from arbitrary websites. Drive by attacks similar to the one detailed in the bugs relating to: https://bugzilla.redhat.com/buglist.cgi?f1=cf_qa_whiteboard&o1=substring&query_format=advanced&v1=poc-fc5fd70a912b seem quite likely. As with that POC, an attacker need not have VPN access, only the ability to have victims within the VPN browse content.
Comment 1 Lee Newson 2013-05-29 07:33:08 UTC 
Fixed in 1.0-SNAPSHOT build 20130529-1332.

I've fixed the MessageBodyWriterInterceptor to only work on normal REST endpoints. That way the Access-Control-Allow-Origin header will not be present anymore for all webdav requests, as it shouldn't have ever been there anyways.

Example output (from skynet-dev):

HTTP/1.1 207 Multi-Status
Date: Wed, 29 May 2013 07:23:32 GMT
Server: Apache-Coyote/1.1
Content-Type: text/xml
Connection: close
Transfer-Encoding: chunked

23b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/TOPICS</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>
0
Comment 2 Trevor Jay 2013-06-06 01:03:40 UTC 
Looks good on my end when hitting skynet-dev. I would have verified sooner, but didn't expect you to take care of it this fast! Thanks for the speedy work.