enable Alfresco-CSRF-Token in alfresco

cancel
Showing results for 
Search instead for 
Did you mean: 
bhargav_vempall
Member II

enable Alfresco-CSRF-Token in alfresco

Hi,

      My alfresco application is working as expected. But my security guy has found out that the alfresco site is has CSRF vulnerable. Our application is configured using CAS for login and works through proxy server. I did not Specifically configure CSRF filter. Please help me fix this CSRF vulnerable.    

4 Replies
gluck113
Established Member

Re: enable Alfresco-CSRF-Token in alfresco

Hi

As far as I know all the configuration you need for CRSF is in the share-security-config.xml. You will find a section <config evaluator="string-compare" condition="CSRFPolicy">. 

You can copy the content in the share-custom-config.xml and change the multiple Referers ans Origins. 

Which version of alfresco you have? 

Source: Cross-Site Request Forgery (CSRF) filters | Alfresco Documentation 

Highlighted
bhargav_vempall
Member II

Re: enable Alfresco-CSRF-Token in alfresco

This is the version I have seen in my alfresco readme file.

Contains:
 - Alfresco Platform: 5.2.g
 - Alfresco Share:  5.2.f

I have seen this document you sent me, but what should I change is the question I have modified the following

 

My issue here is to set the Alfresco-CSRFToken cookie to secure and Httponly.

gluck113
Established Member

Re: enable Alfresco-CSRF-Token in alfresco

So in your tomcat folder of your installation go to the following path shared/classes/alfresco/web-extension/ and you should find a shared-config-custom.xml. In this file you should copy the section I mentionned in my earlier reply (<config evaluator="string-compare" condition="CSRFPolicy"> ).

The origin and referer should be the dns of your server if the share and alfresco applications are deployed on the same server.

More information on origin and referer in http request:

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP 

Otherwise ask your security guy what you should put as values. Then you need to restart tomcat and he can check directly.

bhargav_vempall
Member II

Re: enable Alfresco-CSRF-Token in alfresco

Hi Simon,

               I did change the "The origin and referer should be the dns of your server" in shared-config-custom.xml it still did not work. Still my Alfresco-CSRFToken cookie is not set to secure and Httponly in the firefox firebug cookie column.