PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with OWASP recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF (Cross Site Request Forgery) validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site’s proxy configuration and the way it was configured to handle host header overrides).
However, this issue will continue to persist for sites using a non-standard reverse proxy server configuration to redirect users to new pages (i.e. sites using a proxy running in FRONT of PaperCut, to override host headers).
Depending on a site’s proxy configuration and the version of PaperCut being run, the following resolutions may apply:
Any site with any proxy server configuration, running PaperCut 17.3.0 or above:
Disable the CSRF security enhancement:
In a text editor, open [app-path]/server/server.properties
Either, search for and find the line: server.csrf-check.validate-request-origin, or add a new line: server.csrf-check.validate-request-origin
Set server.csrf-check.validate-request-origin to N.
Restart the service PaperCut Application Server.
Sites with a non-standard reverse proxy server configuration, running PaperCut 17.3.0 or above:
(i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)
Update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header