Bug 967908 - WebDAV is accessible cross-domain
WebDAV is accessible cross-domain
Product: PressGang CCMS
Classification: Community
Component: Web-UI (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: pressgang-ccms-dev
: Security
Depends On:
  Show dependency treegraph
Reported: 2013-05-28 10:36 EDT by Trevor Jay
Modified: 2013-07-01 00:15 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-01 00:15:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Trevor Jay 2013-05-28 10:36:34 EDT
Description of problem:

The WebDAV interface returns a:

Access-Control-Allow-Origin: *


How reproducible:


Steps to Reproduce:
1. From a bash shell with netcat installed as nc, access the WebDAV interface with the following one-liner:

echo -e "PROPFIND /pressgang-ccms/webdav/ HTTP/1.1\r\nHost: skynet.usersys.redhat.com:8080\r\nDepth: 1\r\nContent-Type: application/xml\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\n<propfind xmlns="DAV:"><prop>\n<getcontentlength xmlns="DAV:"/>\n<getlastmodified xmlns="DAV:"/>\n<executable xmlns="http://apache.org/dav/props/"/>\n<resourcetype xmlns="DAV:"/>\n<checked-in xmlns="DAV:"/>\n<checked-out xmlns="DAV:"/>\n</prop></propfind>\r\n\r\n" | nc skynet.usersys.redhat.com 8080

Actual results:

Receive the "directory" listing (as expected) with a:

Access-Control-Allow-Origin: *


Expected results:

Receive the "directory" listing with headers that would appropriately block cross-site access.

Additional info:

Some browsers allow calls to methods such as PROPFIND. Combined with this header behavior there is the potential for JavaScript access to the WebDAV interface from arbitrary websites. Drive by attacks similar to the one detailed in the bugs relating to: https://bugzilla.redhat.com/buglist.cgi?f1=cf_qa_whiteboard&o1=substring&query_format=advanced&v1=poc-fc5fd70a912b seem quite likely. As with that POC, an attacker need not have VPN access, only the ability to have victims within the VPN browse content.
Comment 1 Lee Newson 2013-05-29 03:33:08 EDT
Fixed in 1.0-SNAPSHOT build 20130529-1332.

I've fixed the MessageBodyWriterInterceptor to only work on normal REST endpoints. That way the Access-Control-Allow-Origin header will not be present anymore for all webdav requests, as it shouldn't have ever been there anyways.

Example output (from skynet-dev):

HTTP/1.1 207 Multi-Status
Date: Wed, 29 May 2013 07:23:32 GMT
Server: Apache-Coyote/1.1
Content-Type: text/xml
Connection: close
Transfer-Encoding: chunked

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/TOPICS</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>
Comment 2 Trevor Jay 2013-06-05 21:03:40 EDT
Looks good on my end when hitting skynet-dev. I would have verified sooner, but didn't expect you to take care of it this fast! Thanks for the speedy work.

Note You need to log in before you can comment on or make changes to this bug.