AnsweredAssumed Answered

LEGGERE PREGO: Potenziale problema di sicurezza

Question asked by mturatti on Jul 23, 2010
Siamo stati informati di un potenziale problema di sicurezza quando la servlet di deployment di jBPM gira senza autenticazione: è possibile in questo caso fare il deployment di un worflow jBPM che può fornire a qualsiasi utente (già presente in Alfresco) diritti di amministrazione. E' stata già trovata una soluzione, spiegata nel forum in inglese: http://forums.alfresco.com/en/viewtopic.php?f=2&t=28241

Qui sotto è riportato il testo del post di cui sopra, per una più veloce lettura:

Thanks to Jeff Potts at Metaversant ( http://www.metaversant.com), Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, this loophole does require the user to have a valid account on the system and a good technical understanding of Alfresco.

Alfresco has identified a WAR file configuration change to eliminate this potential security loophole. Alfresco strongly recommends that you complete the following instructions for any 2.1, 2.2, and 3.x system to eliminate the risk.

1. Create a backup directory and give it an appropriate name, such as <ALFRESCOBACKUP>.
2. Copy your currently deployed alfresco.war file to this backup directory.
3. Create a new empty directory and unzip your backup alfresco. war file there.
For Linux

a) mkdir ~/alfresco
b) cd ~/alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war

For Windows

a) mkdir C:\alfresco
b) cd /D C:\alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war

4. In this new directory (~/alfresco), edit the WEB-INF/web.xml file to comment out the following lines.
Change:

<servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping>

To:

<!–servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping–>


5. Zip this directory to create a new alfresco.war.
For Linux

a) cd ~/alfresco
b) jar cvf ../alfresco.war .

For Windows

a) cd /D C:\alfresco
b) jar cvf ..\alfresco.war .

6. Deploy the new alfresco.war using the appropriate instructions for your application server.
7. Confirm that accessing the URL http://<host:8080>/alfresco/jbpm/deployprocess returns a status 404 error.

Alfresco has applied this configuration to all hotfix branches, ensuring that all future patches and service packs include the change.

In Alfresco Version 3.3 SP3, you will be able to configure the JBPM process deployer servlet via alfresco-global.properties. Refer to the Alfresco Documentation on Network for more details post-release.

This solution has been verified against 3.3 SP1, 3.2 SP2, 2.2 SP8, and 2.1 SP7.

Outcomes