Cross-Site-Request-Forgery

[lvca]

The OrientDB-Server allows the usage of a parameter for the name of a callback-function in
http-requests. If such a parameter is used in a http-request the server sends the http-response to
the function which is specified in the parameter. This can be used to construct a malicious webpage
which sends a get-request to the OrientDB-server in order to get some content. An attacker can read
the http-response, because of the allowed callback-function-parameter.
The OrientDB-server provides an interface to request specific entries of a database with the
http-method GET.

For example the URL http://localhost:2480/document/test/5:1 response with JSON data of the record
5:1. In the case of record 5:1 its the information about the reader account with the hashed
password.

{"@type":"d","@rid":"#5:1","@version":1,"@class":"OUser","name":"reader","password":"{SHA-256}3D0941
964AA3EBDCB00CCEF58B1BB399F9F898465E9886D5AEC7F31090A0FB30","status":"ACTIVE","roles":["#4:1"],"@fie
ldTypes":"roles=n"}

[lvca]

Fixed by disabling JSONP support by default. To enable it set -Dnetwork.http.jsonp=true

[Wirone]

How does it fix the real issue? If I need JSONP and enable it, I expose data to CSRF attacks?