PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with OWASP recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF (Cross Site Request Forgery) validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site’s proxy configuration and the way it was configured to handle host header overrides).
However, this issue will continue to persist for sites using a non-standard reverse proxy server configuration to redirect users to new pages (i.e. sites using a proxy running in FRONT of PaperCut, to override host headers).
Depending on a site’s proxy configuration and the version of PaperCut being run, the following resolutions may apply:
Any site with any proxy server configuration, running PaperCut 17.3.0 or above:
Disable the CSRF security enhancement:
In a text editor, open [app-path]/server/server.properties
Either, search for and find the line: server.csrf-check.validate-request-origin, or add a new line: server.csrf-check.validate-request-origin
Set server.csrf-check.validate-request-origin to N.
Restart the service PaperCut Application Server.
Note: When editing an existing setting, please remove the leading # character.
Sites with a non-standard reverse proxy server configuration, running PaperCut 17.3.0 or above:
(i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)
Update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header
This release contains an updated Java version which no longer supports 32-bit workstations. If you have any 32-bit users launching the User Client or Release Station from a network share, see this Knowledge Base article for more information.