AnsweredAssumed Answered

LEER: Aviso de Seguridad

Question asked by toni.delafuente Employee on Jul 23, 2010
PLEASE READ: Important Message Regarding Security

Hola a todos, os paso esta importante información en inglés, si tenéis alguna duda la discutimos en este hilo.

Thanks to Jeff Potts at Metaversant (, Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, this loophole does require the user to have a valid account on the system and a good technical understanding of Alfresco.

Alfresco has identified a WAR file configuration change to eliminate this potential security loophole. Alfresco strongly recommends that you complete the following instructions for any 2.1, 2.2, and 3.x system to eliminate the risk.

1. Create a backup directory and give it an appropriate name, such as <ALFRESCOBACKUP>.
2. Copy your currently deployed alfresco.war file to this backup directory.
3. Create a new empty directory and unzip your backup alfresco. war file there.
For Linux

a) mkdir ~/alfresco
b) cd ~/alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war

For Windows

a) mkdir C:\alfresco
b) cd /D C:\alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war

4. In this new directory (~/alfresco), edit the WEB-INF/web.xml file to comment out the following lines.




5. Zip this directory to create a new alfresco.war.
For Linux

a) cd ~/alfresco
b) jar cvf ../alfresco.war .

For Windows

a) cd /D C:\alfresco
b) jar cvf ..\alfresco.war .

6. Deploy the new alfresco.war using the appropriate instructions for your application server.
7. Confirm that accessing the URL http://<host:8080>/alfresco/jbpm/deployprocess returns a status 404 error.

Alfresco has applied this configuration to all hotfix branches, ensuring that all future patches and service packs include the change.

In Alfresco Version 3.3 SP3, you will be able to configure the JBPM process deployer servlet via Refer to the Alfresco Documentation on Network for more details post-release.

This solution has been verified against 3.3 SP1, 3.2 SP2, 2.2 SP8, and 2.1 SP7.