Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Security issue: Cross Site Content Hijacking #318
Since the response headers when downloading files are not set to secure values an attacker can perform Cross Site Content Hijacking to extract arbitrary data from a Cryptomator installation. Some more information including a demo on that can be found at https://github.com/nccgroup/CrossSiteContentHijacking
This attack requires that an attacker can upload arbitrary files on their own. Due to the vulnerability pointed out in #319, this is however possible. An attacker basically would just have to upload such a file using CSRF and then can start extracting data.
Performing a PROPFIND to extract the file list is left as exercise to the reader
Serve all files with a harmless Content-Disposition of for example
Disclaimer: Normally, I wouldn't report security issues like that in the public. But I was asked by the Cryptomator authors on Twitter to do so.
referenced this issue
Aug 9, 2016
Looking at http://mail-archives.apache.org/mod_mbox/jackrabbit-commits/201510.mbox/%3C20151021123021.6383C3A0337@svn01-us-west.apache.org%3E, #319 seems to be caused by an upstream security issue. Their security patch for https://issues.apache.org/jira/browse/JCR-3909 seems incomplete. I will also reach out to them.
Unfortunately not. Adobe software has a very special interpretation of Same-Origin.
Basically what happens here is:
You can easily test this by uploading http://0me.me/ContentHijacking/objects/ContentHijacking.swf to one of your vaults. Then configure it as object file on http://15.rs/ContentHijacking/ContentHijackingLoader.html. As target page use for example a text file in the same vault.