Bloomreach

Bloomreach Documentation version

CSRF vulnerability in Hippo CMS application 

Issue date: 12-04-2016
Affects versions: 10.2, 10.1, 10.0, 7.9, 7.8

Issue id: SECURITY-20

 

Severity 

Medium


Description

Through an external security report and subsequent further investigation by Hippo we discovered a  security vulnerability within our Hippo CMS application.

 

Important to mention is that this vulnerability do not concern the delivery tier, e.g. websites managed and rendered through Hippo. The issue only applies to the CMS authoring web application, and require an logged in CMS user to exploit.

Hippo has implemented a fix for this vulnerability for all supported versions and provides new releases of the hippo-cms module to be able to upgrade your implementation of Hippo.

Hippo advises all customers to apply this fix by upgrading, detailed instructions are described further below.

 

The fixed vulnerability:

  • A potential CSRF (Cross Site Request Forgery) attack when an authenticated logged-in CMS user in a different tab/window visits a malicious website which trigger a set of javascript requests to the CMS application resulting in actions on behalf of the logged in CMS user. Note that in general for this to work, the user must also run the browser in insecure mode (for example allowing CORS request javascript calls).

The fix has been implemented in the Hippo cms module through internal code changes only and only requires updating the <hippo.cms.version> in the <properties> section of a Hippo project root pom.xml.

The fix does require besides upgrading to the latest minor Hippo CMS 10.2.1, 10.1.3, 7.9.12, or 7.8.13 also a configuration change if you 

  1. Access the cms instance over https
  2. Have a proxy offloading ssl in front of the CMS container 

In this case, you need to configure haproxy, httpd, nginx etc to set the X-Forwarded-Proto header to https. The proxy that does the ssl offloading must set the X-Forwarded-Proto header to https. In httpd, this is for example achieved by including :

RequestHeader set X-Forwarded-Proto https

in the virtual host configuration, see configure apache httpd as reverse proxy for hippo.  You can find online how to achieve this for haproxy or nginx or another proxy. If you do not set the X-Forwarded-Proto the CMS login over https will return:

http status code 400 - origin does not correspond to request

Credits
This vulnerability was discovered and reported by the nccgroup (http://www.nccgroup.trust)