11-13-2017 01:55 PM
Hi,
My alfresco application is working as expected. But my security guy has found out that the alfresco site is has CSRF vulnerable. Our application is configured using CAS for login and works through proxy server. I did not Specifically configure CSRF filter. Please help me fix this CSRF vulnerable.
11-14-2017 02:52 AM
Hi
As far as I know all the configuration you need for CRSF is in the share-security-config.xml. You will find a section <config evaluator="string-compare" condition="CSRFPolicy">.
You can copy the content in the share-custom-config.xml and change the multiple Referers ans Origins.
Which version of alfresco you have?
Source: Cross-Site Request Forgery (CSRF) filters | Alfresco Documentation
11-14-2017 10:05 AM
This is the version I have seen in my alfresco readme file.
Contains:
- Alfresco Platform: 5.2.g
- Alfresco Share: 5.2.f
I have seen this document you sent me, but what should I change is the question I have modified the following
My issue here is to set the Alfresco-CSRFToken cookie to secure and Httponly.
11-15-2017 03:33 PM
So in your tomcat folder of your installation go to the following path shared/classes/alfresco/web-extension/ and you should find a shared-config-custom.xml. In this file you should copy the section I mentionned in my earlier reply (<config evaluator="string-compare" condition="CSRFPolicy"> ).
The origin and referer should be the dns of your server if the share and alfresco applications are deployed on the same server.
More information on origin and referer in http request:
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP
Otherwise ask your security guy what you should put as values. Then you need to restart tomcat and he can check directly.
11-15-2017 04:07 PM
Hi Simon,
I did change the "The origin and referer should be the dns of your server" in shared-config-custom.xml it still did not work. Still my Alfresco-CSRFToken cookie is not set to secure and Httponly in the firefox firebug cookie column.
08-13-2020 07:06 AM
Hi @bhargav_vempall did you find how to set cookie to httpOnly flag. If u have done please help me in doing the same.
Waiting for your reply.
Explore our Alfresco products with the links below. Use labels to filter content by product module.