Our CMS is *inside* our secure zone. The problem is, that OpenText checks
if the referrer is send and is correct. It is possible to exclude
destination URLs from check in the main.config. If I open a URL (such as a
plugin located into /cms/plugins) the referrer is empty. Open Text has
proposed two solutions. The first one using ASP does not work for me.
a) Change your code to send one
- Internet Explorer 8 and lower – use this workaround:
var a = document.createElement("a");
a.href = "somewhere.asp";
document.body.appendChild(a);
a.click();
- .NET / C#:
var req = (HttpWebRequest) WebRequest.Create(url);
req.Referer = "http://host/cms/";;
b) Exclude destination URL from referrer check
Am Montag, 24. Februar 2014 23:21:56 UTC+1 schrieb Richard Hauer (5 Limes):
>
> Referrer headers are not a secure countermeasure to CSRF attacks.
>
> Your CMS should be *inside* your secure zone and should not require
> specific CSRF treatment. You could apply IP restrictions at the IIS end, or
> you could drop out to Kerberos authentication which doesn't rely on cookies
> and is much harder to spoof.
>
> Richard.
> ------------------------------
> From: Pierre Kruppik <javascript:>
> Sent: 24/02/2014 22:15
> To: reddot-c...@googlegroups.com <javascript:>
> Subject: Set referer to execute plugin using user-defined job
>
> Hi!
>
> Since security-raled changes (CSRF) it is not possible to execute a plugin
> using a user-defined job (call url). I just added the referer to the header
> of my plugin, but it doesnt works.
>
> <%
> Response.AddHeader "Referer","http://myhost/cms/";
> %>
>
> Are there any restrictions in the IIS?
>
>
> Regards,
> Pierre
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "RedDot CMS Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to reddot-cms-use...@googlegroups.com <javascript:>.
> To post to this group, send email to reddot-c...@googlegroups.com<javascript:>
> .
> Visit this group at http://groups.google.com/group/reddot-cms-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
You received this message because you are subscribed to the Google Groups
"RedDot CMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to reddot-cms-users+unsubscr...@googlegroups.com.
To post to this group, send email to reddot-cms-users@googlegroups.com.
Visit this group at http://groups.google.com/group/reddot-cms-users.
For more options, visit https://groups.google.com/groups/opt_out.
