cancel
Showing results for 
Search instead for 
Did you mean: 

enable Alfresco-CSRF-Token in alfresco

bhargav_vempall
Champ in-the-making
Champ in-the-making

Hi,

      My alfresco application is working as expected. But my security guy has found out that the alfresco site is has CSRF vulnerable. Our application is configured using CAS for login and works through proxy server. I did not Specifically configure CSRF filter. Please help me fix this CSRF vulnerable.    

5 REPLIES 5

gluck113
Star Contributor
Star Contributor

Hi

As far as I know all the configuration you need for CRSF is in the share-security-config.xml. You will find a section <config evaluator="string-compare" condition="CSRFPolicy">. 

You can copy the content in the share-custom-config.xml and change the multiple Referers ans Origins. 

Which version of alfresco you have? 

Source: Cross-Site Request Forgery (CSRF) filters | Alfresco Documentation 

This is the version I have seen in my alfresco readme file.

Contains:
 - Alfresco Platform: 5.2.g
 - Alfresco Share:  5.2.f

I have seen this document you sent me, but what should I change is the question I have modified the following

 

My issue here is to set the Alfresco-CSRFToken cookie to secure and Httponly.

So in your tomcat folder of your installation go to the following path shared/classes/alfresco/web-extension/ and you should find a shared-config-custom.xml. In this file you should copy the section I mentionned in my earlier reply (<config evaluator="string-compare" condition="CSRFPolicy"> ).

The origin and referer should be the dns of your server if the share and alfresco applications are deployed on the same server.

More information on origin and referer in http request:

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP 

Otherwise ask your security guy what you should put as values. Then you need to restart tomcat and he can check directly.

bhargav_vempall
Champ in-the-making
Champ in-the-making

Hi Simon,

               I did change the "The origin and referer should be the dns of your server" in shared-config-custom.xml it still did not work. Still my Alfresco-CSRFToken cookie is not set to secure and Httponly in the firefox firebug cookie column.

Hi @bhargav_vempall did you find how to set cookie to httpOnly flag. If u have done please help me in doing the same.

Waiting for your reply.