Bug 967908 - WebDAV is accessible cross-domain
Summary: WebDAV is accessible cross-domain
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: PressGang CCMS
Classification: Community
Component: Web-UI
Version: 1.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: pressgang-ccms-dev
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-28 14:36 UTC by Trevor Jay
Modified: 2013-07-01 04:15 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-01 04:15:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Trevor Jay 2013-05-28 14:36:34 UTC 
Description of problem:

The WebDAV interface returns a:

Access-Control-Allow-Origin: *

header. 

How reproducible:

always.

Steps to Reproduce:
1. From a bash shell with netcat installed as nc, access the WebDAV interface with the following one-liner:

echo -e "PROPFIND /pressgang-ccms/webdav/ HTTP/1.1\r\nHost: skynet.usersys.redhat.com:8080\r\nDepth: 1\r\nContent-Type: application/xml\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\n<propfind xmlns="DAV:"><prop>\n<getcontentlength xmlns="DAV:"/>\n<getlastmodified xmlns="DAV:"/>\n<executable xmlns="http://apache.org/dav/props/"/>\n<resourcetype xmlns="DAV:"/>\n<checked-in xmlns="DAV:"/>\n<checked-out xmlns="DAV:"/>\n</prop></propfind>\r\n\r\n" | nc skynet.usersys.redhat.com 8080


Actual results:

Receive the "directory" listing (as expected) with a:

Access-Control-Allow-Origin: *

header.

Expected results:

Receive the "directory" listing with headers that would appropriately block cross-site access.

Additional info:

Some browsers allow calls to methods such as PROPFIND. Combined with this header behavior there is the potential for JavaScript access to the WebDAV interface from arbitrary websites. Drive by attacks similar to the one detailed in the bugs relating to: https://bugzilla.redhat.com/buglist.cgi?f1=cf_qa_whiteboard&o1=substring&query_format=advanced&v1=poc-fc5fd70a912b seem quite likely. As with that POC, an attacker need not have VPN access, only the ability to have victims within the VPN browse content.
Comment 1 Lee Newson 2013-05-29 07:33:08 UTC 
Fixed in 1.0-SNAPSHOT build 20130529-1332.

I've fixed the MessageBodyWriterInterceptor to only work on normal REST endpoints. That way the Access-Control-Allow-Origin header will not be present anymore for all webdav requests, as it shouldn't have ever been there anyways.

Example output (from skynet-dev):

HTTP/1.1 207 Multi-Status
Date: Wed, 29 May 2013 07:23:32 GMT
Server: Apache-Coyote/1.1
Content-Type: text/xml
Connection: close
Transfer-Encoding: chunked

23b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/TOPICS</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>
0
Comment 2 Trevor Jay 2013-06-06 01:03:40 UTC 
Looks good on my end when hitting skynet-dev. I would have verified sooner, but didn't expect you to take care of it this fast! Thanks for the speedy work.
Note You need to log in before you can comment on or make changes to this bug.