Sorry. Was not aware that OT had implemented these measures in the system. Frankly that seems a little unnecessary to me.
Richard -----Original Message----- From: "Pierre Kruppik" <[email protected]> Sent: 25/02/2014 20:43 To: "[email protected]" <[email protected]> Subject: Re: Set referer to execute plugin using user-defined job Our CMS is *inside* our secure zone. The problem is, that OpenText checks if the referrer is send and is correct. It is possible to exclude destination URLs from check in the main.config. If I open a URL (such as a plugin located into /cms/plugins) the referrer is empty. Open Text has proposed two solutions. The first one using ASP does not work for me. a) Change your code to send one Internet Explorer 8 and lower – use this workaround: var a = document.createElement("a"); a.href = "somewhere.asp"; document.body.appendChild(a); a.click(); .NET / C#: var req = (HttpWebRequest) WebRequest.Create(url); req.Referer = "http://host/cms/";; b) Exclude destination URL from referrer check Am Montag, 24. Februar 2014 23:21:56 UTC+1 schrieb Richard Hauer (5 Limes): Referrer headers are not a secure countermeasure to CSRF attacks. Your CMS should be *inside* your secure zone and should not require specific CSRF treatment. You could apply IP restrictions at the IIS end, or you could drop out to Kerberos authentication which doesn't rely on cookies and is much harder to spoof. Richard. From: Pierre Kruppik Sent: 24/02/2014 22:15 To: [email protected] Subject: Set referer to execute plugin using user-defined job Hi! Since security-raled changes (CSRF) it is not possible to execute a plugin using a user-defined job (call url). I just added the referer to the header of my plugin, but it doesnt works. <% Response.AddHeader "Referer","http://myhost/cms/"; %> Are there any restrictions in the IIS? Regards, Pierre -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out.
