https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230710#M183840 <HTML><HEAD></HEAD><BODY><SPAN>All-</SPAN><BR /><BR /><SPAN>Thanks to Jeff Potts at Metaversant ( </SPAN><A href="http://www.metaversant.com" rel="nofollow noopener noreferrer">http://www.metaversant.com</A><SPAN>), Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, this loophole does require the user to have a valid account on the system and a good technical understanding of Alfresco.</SPAN><BR /><BR /><SPAN>Alfresco has identified a WAR file configuration change to eliminate this potential security loophole. Alfresco strongly recommends that you complete the following instructions for any 2.1, 2.2, and 3.x system to eliminate the risk.</SPAN><BR /><BR /><SPAN>1. Create a backup directory and give it an appropriate name, such as &lt;ALFRESCOBACKUP&gt;.</SPAN><BR /><SPAN>2. Copy your currently deployed alfresco.war file to this backup directory.</SPAN><BR /><SPAN>3. Create a new empty directory and unzip your backup alfresco. war file there.</SPAN><BR /><SPAN>For Linux</SPAN><BR /><BR /><SPAN>a) mkdir ~/alfresco</SPAN><BR /><SPAN>b) cd ~/alfresco</SPAN><BR /><SPAN>c) jar xvf &lt;ALFRESCOBACKUP&gt;/alfresco.war</SPAN><BR /><BR /><SPAN>For Windows</SPAN><BR /><BR /><SPAN>a) mkdir C:\alfresco</SPAN><BR /><SPAN>b) cd /D C:\alfresco</SPAN><BR /><SPAN>c) jar xvf &lt;ALFRESCOBACKUP&gt;/alfresco.war</SPAN><BR /><BR /><SPAN>4. In this new directory (~/alfresco), edit the WEB-INF/web.xml file to comment out the following lines.</SPAN><BR /><SPAN>Change:</SPAN><BR /><BR /><SPAN>&lt;servlet-mapping&gt;</SPAN><BR /><SPAN>&lt;servlet-name&gt;JBPMDeployProcessServlet&lt;/servlet-name&gt;</SPAN><BR /><SPAN>&lt;url-pattern&gt;/jbpm/deployprocess&lt;/url-pattern&gt;</SPAN><BR /><SPAN>&lt;/servlet-mapping&gt;</SPAN><BR /><BR /><SPAN>To:</SPAN><BR /><BR /><SPAN>&lt;!–servlet-mapping&gt;</SPAN><BR /><SPAN>&lt;servlet-name&gt;JBPMDeployProcessServlet&lt;/servlet-name&gt;</SPAN><BR /><SPAN>&lt;url-pattern&gt;/jbpm/deployprocess&lt;/url-pattern&gt;</SPAN><BR /><SPAN>&lt;/servlet-mapping–&gt;</SPAN><BR /><BR /><BR /><SPAN>5. Zip this directory to create a new alfresco.war.</SPAN><BR /><SPAN>For Linux</SPAN><BR /><BR /><SPAN>a) cd ~/alfresco</SPAN><BR /><SPAN>b) jar cvf ../alfresco.war .</SPAN><BR /><BR /><SPAN>For Windows</SPAN><BR /><BR /><SPAN>a) cd /D C:\alfresco</SPAN><BR /><SPAN>b) jar cvf ..\alfresco.war .</SPAN><BR /><BR /><SPAN>6. Deploy the new alfresco.war using the appropriate instructions for your application server.</SPAN><BR /><SPAN><SPAN>7. Confirm that accessing the URL </SPAN><A class="jive-link-external-small" href="http://" rel="nofollow noopener noreferrer">http://</A><SPAN>&lt;host:8080&gt;/alfresco/jbpm/deployprocess returns a status 404 error.</SPAN></SPAN><BR /><BR /><SPAN>Alfresco has applied this configuration to all hotfix branches, ensuring that all future patches and service packs include the change.</SPAN><BR /><BR /><SPAN>In Alfresco Version 3.3 SP3, you will be able to configure the JBPM process deployer servlet via alfresco-global.properties. Refer to the Alfresco Documentation on Network for more details post-release.</SPAN><BR /><BR /><SPAN>This solution has been verified against 3.3 SP1, 3.2 SP2, 2.2 SP8, and 2.1 SP7.</SPAN></BODY></HTML> Fri, 23 Jul 2010 13:54:14 GMT nancyg 2010-07-23T13:54:14Z https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230710#M183840 All-Thanks to Jeff Potts at Metaversant ( http://www.metaversant.com), Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, Fri, 23 Jul 2010 13:54:14 GMT https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230710#M183840 nancyg 2010-07-23T13:54:14Z https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230711#M183841 <HTML><HEAD></HEAD><BODY><SPAN>Another way to solve this security loophole is via an Apache HTTP server in front of the Alfresco installation (Tomcat).</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; &lt;Location "/alfresco/jbpm/deployprocess" &gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Deny from all</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; &lt;/Location&gt;</SPAN><BR /><BR /><SPAN>I always install and configure a separate Apache server which connects to Alfresco on tomcat via mod_proxy_ajp (binary protocol). Normally I even disable the HTTP connector on port 8080. And I also configure Apache to serve the static files using Aliasses on the static directories.</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/images !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/css !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/scripts !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/swf !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/yui !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco ajp://localhost:8009/alfresco</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPassReverse /alfresco ajp://localhost:8009/alfresco</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/images "/opt/alfresco/tomcat/webapps/alfresco/images"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/css "/opt/alfresco/tomcat/webapps/alfresco/css"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/scripts "/opt/alfresco/webapps/alfresco/scripts"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/swf "/opt/alfresco/webapps/alfresco/swf"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/yui "/opt/alfresco/webapps/alfresco/yui"</SPAN><BR /><BR /><SPAN>Advantages:</SPAN><BR /><SPAN>- Tomcat does not have to serve static files. Apache does that a lot better and faster</SPAN><BR /><SPAN>- Use port 80 by default</SPAN><BR /><SPAN>- Using a rewrite rule, I can add /alfresco automatically.</SPAN><BR /><SPAN>- A lot more secure to offer your end users an Apache interface and keep the Tomcat interface including the management console separate. Only open port 80 (and 443) in the firewall.</SPAN><BR /><SPAN>- Very easy to implement SSL on Apache</SPAN><BR /><SPAN>…</SPAN><BR /><BR /><SPAN>In short, just use a Web Server for what it's built and use the Application Server to serve the application, and nothing more.</SPAN><BR /><BR /><SPAN>Implementing this security fix took me only one minute and no restart of Alfresco was required. Even more, the Alfresco war is still original.</SPAN></BODY></HTML> Wed, 04 Aug 2010 12:28:23 GMT https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230711#M183841 heydenb 2010-08-04T12:28:23Z