Important security alert

jpotts — Thu, 26 Apr 2012 23:13:58 GMT

Included in Alfresco 4.0.1 Enterprise is a fix for two critical security issues. The two issues areOLR REST API allows unauthenticated access to repository contents (ALF-13721) (Affects 4.0)Remote code execution possible via Web Script XSLT Processor (ALF-13726) (Affects all versions)If you are an

Re: Important security alert

lotharmärkle — Fri, 27 Apr 2012 11:12:18 GMT

Thank you to direct attention to this issue and for providing an instant fix!

For the XSLT issue, it is maybe possible to disable XSLT if this functionality is not required or while the patch is being prepared:

For 4.0d Community Edition place a file security-fixes-context.xml into /shared/classes/alfresco/extension containing:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<!– override xslt beans to disable xslt processing –>
<!– https://forums.alfresco.com/en/viewtopic.php?f=2&t=44384 –>
<!– https://issues.alfresco.com/jira/browse/ALF-13726 –>
<bean id="xsltRenderingEngine" class="java.lang.String"/>
<bean id="xsltFunctions" class="java.lang.String"/>
<bean id="xsltProcessor" class="java.lang.String"/>
</beans>

Regards,
lothar

topic Re: Important security alert in Alfresco Archive

Important security alert

Re: Important security alert