Internet Information Services
Microsoft web server software.
1,591 questions
Vulnerable clientaccesspolicy.xml file: How do I properly configure?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 63%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMF%3C/text%3E%3C/svg%3E)
Manuel Flores-Bonilla
6
Reputation points
Hi All,
A scan was recently done on our app server and it showed the vulnerability below (bug described here= https://cwe.mitre.org/data/definitions/942.html )
Cross-domain and Client Access policies.
State: VULNERABLE
A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. A client access policy file is similar to cross-domain policy but is used for Silverlight applications. Overly permissive configurations enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.
http-cross-domain-policy vulnerability source code from web app:
/clientaccesspolicy.xml:
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="https://server.DOMAIN.com.au"/>
<domain uri="https://meeting.DOMAIN.com" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
<policy>
<allow-from http-request-headers="*">
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" />
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
Extra information:
Trusted domains:DOMAIN.com.au, DOMAIN.com, *
I'm a system admin so this web development is a bit over my head but I'm taking up the challenge to plug this hole.
What I'm reading is that the clientaccesspolicy.xml file needs to be updated from:
<domain uri="*" /> to explicitly specify a domain and/or domain(s).
So far, I've saved the web page that is the clientaccesspolicy.xml and saved it as a html file and opened in Visual Studio Code for editing. I'm stuck here, however. I'm not confident in changing the values nor how to save the file or even access web folders etc.
May someone provide me with instructions with the following:
- how to find the xml file that will implement the changes in the environment
- How to save the file in appropriate directory
- how to access a web folder (I've never done web development)
- what tools do I need to conduct this task? I have visual studio and fiddler installed so far
- what's the right syntax for the file? what values do I change for optimal security?
- anything else that recommended for best practice
Thanks in advance. I was given this assignment recently and only given 2 days to figure this out so I'm very grateful for any help.
{count} vote
-
Sharon Zhao-MSFT 25,056 Reputation points Microsoft Vendor2021-09-16T06:42:52.597+00:00 Do you use Skype for Business during the process and is there any error message in the Skype for Business server?
According to your description, it seems no much related to Skype for Business. If I misunderstand your words, please give us more information if possible.
Thanks for your patience and understanding.
-
Manuel Flores-Bonilla 6 Reputation points
2021-09-16T10:49:21.85+00:00 Hello,
Thank you for your reply. There are no errors on the server. This task is strictly to patch up a security hole so that the network isn't compromised by an attacker through a cross site request forgery event. So, as of now, with the current configuration of the file displayed above, any domain has access to resources of the current domain but I want to restrict access to mine only which is the referenced 'current'. I hope this helps.
-
Manuel Flores-Bonilla 6 Reputation points
2021-09-16T14:14:50.053+00:00 After doing some digging, it seems as if this is a false positive. May someone explain how I can justify this as such in order to accept the risk?
-
Sharon Zhao-MSFT 25,056 Reputation points Microsoft Vendor
2021-09-17T06:55:53.667+00:00 Welcome to Q&A!
I'm mainly responsible for Skype for Business.
According to your description, it has no obvious problem in our side. This problem seems more related to system security.
Hope someone checking windows-server-iis-security will give more insights.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 40%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
KjstechO365 81 Reputation points2023-08-08T21:08:23.4933333+00:00 Any idea how to fix this vulnerability that shows up on Skype for Business server? It shows up 3 times. Ports 80, 443 and 4443.
Sign in to comment