AnsweredAssumed Answered

Possible CSRF attack noted when asserting referer header

Question asked by eswbitto on Sep 25, 2013
Latest reply on Sep 26, 2013 by eswbitto
I did a search for this in the forums and I came to this THREAD in that thread there is a link to a JIRA issue that was raised on it. Supposedly this was to be fixed in 4.2.d.

I'm having an issue using 4.2.d when trying to log in. Here is the exception that comes up.


javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://FQDN/share/page/'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://FQDN/share/page/' vs server & context: http://127.0.0.1:8080/ (string) or FQDN:443 (regexp)
   at org.alfresco.web.site.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:920)
   at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:310)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:378)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
   at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1810)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:724)

I'm on linux 6.4 CentOS using apache as my ssl authentication. According to the JIRA link in the above link I mentioned there is some code to insert into share-config-custom.xml. I did so and put the referer (4 places) as my FQDN:443
My apache config looks like this…


<VirtualHost *:443>
  ServerName FQDN

  SSLEngine on
  SSLCertificateKeyFile
  SSLCertificateFile
  SSLCACertificateFile omitted these lines from your view


  ProxyPass /paste http://192.168.3.125/paste/
  ProxyPassReverse /paste http://192.168.3.125/paste/


  ProxyPass / http://127.0.0.1:8080/
  ProxyPassReverse / http://127.0.0.1:8080/


  ProxyTimeout 300
  SSLProxyEngine on

  <Proxy *>
    allow from all
  </Proxy>

</VirtualHost>


I'm wondering if anyone else is having this issue AND/OR why this is still happening if it was to be fixed in 4.2.d.

Any input on the resolution of this would be great. I'm wanting to move to 4.2.d from 4.2.c.

Outcomes