Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- PLEASE READ: Important Message Regarding Security
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
PLEASE READ: Important Message Regarding Security
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2010 09:54 AM
All-
Thanks to Jeff Potts at Metaversant ( http://www.metaversant.com), Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, this loophole does require the user to have a valid account on the system and a good technical understanding of Alfresco.
Alfresco has identified a WAR file configuration change to eliminate this potential security loophole. Alfresco strongly recommends that you complete the following instructions for any 2.1, 2.2, and 3.x system to eliminate the risk.
1. Create a backup directory and give it an appropriate name, such as <ALFRESCOBACKUP>.
2. Copy your currently deployed alfresco.war file to this backup directory.
3. Create a new empty directory and unzip your backup alfresco. war file there.
For Linux
a) mkdir ~/alfresco
b) cd ~/alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war
For Windows
a) mkdir C:\alfresco
b) cd /D C:\alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war
4. In this new directory (~/alfresco), edit the WEB-INF/web.xml file to comment out the following lines.
Change:
<servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping>
To:
<!–servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping–>
5. Zip this directory to create a new alfresco.war.
For Linux
a) cd ~/alfresco
b) jar cvf ../alfresco.war .
For Windows
a) cd /D C:\alfresco
b) jar cvf ..\alfresco.war .
6. Deploy the new alfresco.war using the appropriate instructions for your application server.
7. Confirm that accessing the URL http://<host:8080>/alfresco/jbpm/deployprocess returns a status 404 error.
Alfresco has applied this configuration to all hotfix branches, ensuring that all future patches and service packs include the change.
In Alfresco Version 3.3 SP3, you will be able to configure the JBPM process deployer servlet via alfresco-global.properties. Refer to the Alfresco Documentation on Network for more details post-release.
This solution has been verified against 3.3 SP1, 3.2 SP2, 2.2 SP8, and 2.1 SP7.
Thanks to Jeff Potts at Metaversant ( http://www.metaversant.com), Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, this loophole does require the user to have a valid account on the system and a good technical understanding of Alfresco.
Alfresco has identified a WAR file configuration change to eliminate this potential security loophole. Alfresco strongly recommends that you complete the following instructions for any 2.1, 2.2, and 3.x system to eliminate the risk.
1. Create a backup directory and give it an appropriate name, such as <ALFRESCOBACKUP>.
2. Copy your currently deployed alfresco.war file to this backup directory.
3. Create a new empty directory and unzip your backup alfresco. war file there.
For Linux
a) mkdir ~/alfresco
b) cd ~/alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war
For Windows
a) mkdir C:\alfresco
b) cd /D C:\alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war
4. In this new directory (~/alfresco), edit the WEB-INF/web.xml file to comment out the following lines.
Change:
<servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping>
To:
<!–servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping–>
5. Zip this directory to create a new alfresco.war.
For Linux
a) cd ~/alfresco
b) jar cvf ../alfresco.war .
For Windows
a) cd /D C:\alfresco
b) jar cvf ..\alfresco.war .
6. Deploy the new alfresco.war using the appropriate instructions for your application server.
7. Confirm that accessing the URL http://<host:8080>/alfresco/jbpm/deployprocess returns a status 404 error.
Alfresco has applied this configuration to all hotfix branches, ensuring that all future patches and service packs include the change.
In Alfresco Version 3.3 SP3, you will be able to configure the JBPM process deployer servlet via alfresco-global.properties. Refer to the Alfresco Documentation on Network for more details post-release.
This solution has been verified against 3.3 SP1, 3.2 SP2, 2.2 SP8, and 2.1 SP7.
Labels:
- Labels:
-
Archive
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2010 08:28 AM
Another way to solve this security loophole is via an Apache HTTP server in front of the Alfresco installation (Tomcat).
<Location "/alfresco/jbpm/deployprocess" >
Deny from all
</Location>
I always install and configure a separate Apache server which connects to Alfresco on tomcat via mod_proxy_ajp (binary protocol). Normally I even disable the HTTP connector on port 8080. And I also configure Apache to serve the static files using Aliasses on the static directories.
ProxyPass /alfresco/images !
ProxyPass /alfresco/css !
ProxyPass /alfresco/scripts !
ProxyPass /alfresco/swf !
ProxyPass /alfresco/yui !
ProxyPass /alfresco ajp://localhost:8009/alfresco
ProxyPassReverse /alfresco ajp://localhost:8009/alfresco
Alias /alfresco/images "/opt/alfresco/tomcat/webapps/alfresco/images"
Alias /alfresco/css "/opt/alfresco/tomcat/webapps/alfresco/css"
Alias /alfresco/scripts "/opt/alfresco/webapps/alfresco/scripts"
Alias /alfresco/swf "/opt/alfresco/webapps/alfresco/swf"
Alias /alfresco/yui "/opt/alfresco/webapps/alfresco/yui"
Advantages:
- Tomcat does not have to serve static files. Apache does that a lot better and faster
- Use port 80 by default
- Using a rewrite rule, I can add /alfresco automatically.
- A lot more secure to offer your end users an Apache interface and keep the Tomcat interface including the management console separate. Only open port 80 (and 443) in the firewall.
- Very easy to implement SSL on Apache
…
In short, just use a Web Server for what it's built and use the Application Server to serve the application, and nothing more.
Implementing this security fix took me only one minute and no restart of Alfresco was required. Even more, the Alfresco war is still original.
<Location "/alfresco/jbpm/deployprocess" >
Deny from all
</Location>
I always install and configure a separate Apache server which connects to Alfresco on tomcat via mod_proxy_ajp (binary protocol). Normally I even disable the HTTP connector on port 8080. And I also configure Apache to serve the static files using Aliasses on the static directories.
ProxyPass /alfresco/images !
ProxyPass /alfresco/css !
ProxyPass /alfresco/scripts !
ProxyPass /alfresco/swf !
ProxyPass /alfresco/yui !
ProxyPass /alfresco ajp://localhost:8009/alfresco
ProxyPassReverse /alfresco ajp://localhost:8009/alfresco
Alias /alfresco/images "/opt/alfresco/tomcat/webapps/alfresco/images"
Alias /alfresco/css "/opt/alfresco/tomcat/webapps/alfresco/css"
Alias /alfresco/scripts "/opt/alfresco/webapps/alfresco/scripts"
Alias /alfresco/swf "/opt/alfresco/webapps/alfresco/swf"
Alias /alfresco/yui "/opt/alfresco/webapps/alfresco/yui"
Advantages:
- Tomcat does not have to serve static files. Apache does that a lot better and faster
- Use port 80 by default
- Using a rewrite rule, I can add /alfresco automatically.
- A lot more secure to offer your end users an Apache interface and keep the Tomcat interface including the management console separate. Only open port 80 (and 443) in the firewall.
- Very easy to implement SSL on Apache
…
In short, just use a Web Server for what it's built and use the Application Server to serve the application, and nothing more.
Implementing this security fix took me only one minute and no restart of Alfresco was required. Even more, the Alfresco war is still original.
Related Content
- Integrate SNC using RFC between Alfresco and SAP - Important in Alfresco Forum
- Alfresco Customer Newsletter — October 2024 in Alfresco Blog
- Solr, search API can't find any result without error in Alfresco Forum
- Alfresco Community Edition 23.4 Release Notes in Alfresco Blog
- PKIX path validation failed following certificate update in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
