question

ManuelFloresBonilla-7693 avatar image
0 Votes"
ManuelFloresBonilla-7693 asked SharonZhao-MSFT edited

Vulnerable clientaccesspolicy.xml file: How do I properly configure?

Hi All,

A scan was recently done on our app server and it showed the vulnerability below (bug described here= https://cwe.mitre.org/data/definitions/942.html )


Cross-domain and Client Access policies.
State: VULNERABLE
A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. A client access policy file is similar to cross-domain policy but is used for Silverlight applications. Overly permissive configurations enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.

http-cross-domain-policy vulnerability source code from web app:


    /clientaccesspolicy.xml:
      <?xml version="1.0" encoding="utf-8" ?> 
      <access-policy>
        <cross-domain-access>
          <policy>
            <allow-from http-request-headers="*">        
              <domain uri="https://server.DOMAIN.com.au"/>        
              <domain uri="https://meeting.DOMAIN.com" />                
            </allow-from>
            <grant-to>
              <resource path="/" include-subpaths="true"/> 
            </grant-to>
          </policy>
          <policy>
            <allow-from http-request-headers="*">
              <domain uri="*" />
            </allow-from>
            <grant-to>
              <resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" /> 
            </grant-to>
          </policy>
        </cross-domain-access>
      </access-policy>

Extra information:

Trusted domains:DOMAIN.com.au, DOMAIN.com, *

I'm a system admin so this web development is a bit over my head but I'm taking up the challenge to plug this hole.

What I'm reading is that the clientaccesspolicy.xml file needs to be updated from:

<domain uri="*" /> to explicitly specify a domain and/or domain(s).

So far, I've saved the web page that is the clientaccesspolicy.xml and saved it as a html file and opened in Visual Studio Code for editing. I'm stuck here, however. I'm not confident in changing the values nor how to save the file or even access web folders etc.



May someone provide me with instructions with the following:

  • how to find the xml file that will implement the changes in the environment

  • How to save the file in appropriate directory

  • how to access a web folder (I've never done web development)

  • what tools do I need to conduct this task? I have visual studio and fiddler installed so far

  • what's the right syntax for the file? what values do I change for optimal security?

  • anything else that recommended for best practice

Thanks in advance. I was given this assignment recently and only given 2 days to figure this out so I'm very grateful for any help.





windows-server-iis-security
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ManuelFloresBonilla-7693,

Do you use Skype for Business during the process and is there any error message in the Skype for Business server?

According to your description, it seems no much related to Skype for Business. If I misunderstand your words, please give us more information if possible.

Thanks for your patience and understanding.

0 Votes 0 ·

Hello,

Thank you for your reply. There are no errors on the server. This task is strictly to patch up a security hole so that the network isn't compromised by an attacker through a cross site request forgery event. So, as of now, with the current configuration of the file displayed above, any domain has access to resources of the current domain but I want to restrict access to mine only which is the referenced 'current'. I hope this helps.

0 Votes 0 ·

After doing some digging, it seems as if this is a false positive. May someone explain how I can justify this as such in order to accept the risk?

0 Votes 0 ·
SharonZhao-MSFT avatar image SharonZhao-MSFT ManuelFloresBonilla-7693 ·

@ManuelFloresBonilla-7693,

Welcome to Q&A!

I'm mainly responsible for Skype for Business.

According to your description, it has no obvious problem in our side. This problem seems more related to system security.

Hope someone checking windows-server-iis-security will give more insights.

0 Votes 0 ·

0 Answers