CSRF validation error

KB Home   |   CSRF validation error

Main.CSRFValidationError History

Hide minor edits - Show changes to output

November 12, 2017, at 11:55 PM by 139.130.165.134 -
Changed lines 5-6 from:
This has been resolved in PaperCut 17.3.4, only for sites using a [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html/|standard proxy server configuration]] to redirect users to new pages (i.e. sites using the [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html/|server.force-host-header in the server.properties file]], to configure the proxy to override host headers).
to:
This has been resolved in PaperCut 17.3.4, only for sites using a [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html|standard proxy server configuration]] to redirect users to new pages (i.e. sites using the [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html|server.force-host-header in the server.properties file]], to configure the proxy to override host headers).
Changed line 22 from:
!!!!Sites with a [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html/|standard proxy server configuration (server.force-host-header)]] , running PaperCut 17.3.0–17.3.3:
to:
!!!!Sites with a [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html|standard proxy server configuration (server.force-host-header)]] , running PaperCut 17.3.0–17.3.3:
October 24, 2017, at 03:35 AM by 139.130.165.134 - Added issue about CSRF validation failing due to the host name containing an underscore (PC-12496)
Added lines 26-28:

!!!!Other known issues:
Requests to the PaperCut server will fail CSRF validation if the host name contains an underscore ("_"). This is due to a known JRE bug.
October 02, 2017, at 11:34 AM by timg - Updated to include CSRF meaning.
Changed line 3 from:
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site's proxy configuration and the way it was configured to handle host header overrides).
to:
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF (Cross Site Request Forgery) validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site's proxy configuration and the way it was configured to handle host header overrides).
September 27, 2017, at 07:18 AM by 139.130.165.134 -
Changed lines 3-6 from:
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site's proxy configuration and the way it was configured to handle host header overrides)

This has been resolved in PaperCut 17.3.4, only for sites using a standard proxy server configuration to redirect users to new pages (i.e. sites using the server.force-host-header in the server.properties file, to configure the proxy to override host headers).
to:
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site's proxy configuration and the way it was configured to handle host header overrides).

This has been resolved in PaperCut 17.3.4, only for sites using a [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html/|standard proxy server configuration]] to redirect users to new pages (i.e. sites using the [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html/|server.force-host-header in the server.properties file]], to configure the proxy to override host headers).
Changed line 22 from:
!!!!Sites with a standard proxy server configuration (server.force-host-header), running PaperCut 17.3.0–17.3.3:
to:
!!!!Sites with a [[https://www.papercut.com/products/ng/manual/common/topics/server-host-header.html/|standard proxy server configuration (server.force-host-header)]] , running PaperCut 17.3.0–17.3.3:
September 27, 2017, at 05:00 AM by 139.130.165.134 -
Changed lines 3-9 from:
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message.

This has been resolved in PaperCut 17.3.4, only for sites that experienced the issue due to having configured the server.force-host-header in the server.properties. However, sites that use a non-standard reverse proxy server configuration (i.e. when the host header is overridden by the proxy running in front of PaperCut), may continue to experience this issue, even after upgrading to PaperCut 17.3.4 (or above).

Depending on the site and
the version of PaperCut being run, the following resolutions may apply:

!!!!Any site
running PaperCut 17.3.0 or above:
to:
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site's proxy configuration and the way it was configured to handle host header overrides)

This has been resolved in PaperCut 17.3.4, only for sites using a standard proxy server configuration
to redirect users to new pages (i.e. sites using the server.force-host-header in the server.properties file, to configure the proxy to override host headers).

However, this issue will continue to persist for sites using a non-standard reverse proxy server configuration to redirect users to new pages (i.e. sites using a proxy running in FRONT of PaperCut, to override host headers).

Depending on a site’s proxy configuration and the version of PaperCut being run, the following resolutions may apply:

!!!!Any site with any proxy server configuration,
running PaperCut 17.3.0 or above:
Changed line 18 from:
!!!!Sites running PaperCut 17.3.0 or above - that use a non-standard reverse proxy server configuration:
to:
!!!!Sites with a non-standard reverse proxy server configuration, running PaperCut 17.3.0 or above:
Changed line 22 from:
!!!!Sites running PaperCut 17.3.0-17.3.3 - that have configured the server.force-host-header in the server.properties:
to:
!!!!Sites with a standard proxy server configuration (server.force-host-header), running PaperCut 17.3.0–17.3.3:
September 27, 2017, at 03:35 AM by 139.130.165.134 -
Changed line 20 from:
!!!!Sites running PaperCut 17.3.0-17.3.3 - that have configured the server.force-host-header in the server.propertieS:
to:
!!!!Sites running PaperCut 17.3.0-17.3.3 - that have configured the server.force-host-header in the server.properties:
September 27, 2017, at 03:30 AM by 139.130.165.134 -
Changed lines 16-17 from:
!!!!Sites running PaperCut 17.3.0 or above -
->[=
that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]
to:
!!!!Sites running PaperCut 17.3.0 or above - that use a non-standard reverse proxy server configuration:
[=
(i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]
Changed lines 20-21 from:
!!!!Sites running PaperCut 17.3.0-17.3.3 -
->[=
that have configured the server.force-host-header in the server.properties=]
to:
!!!!Sites running PaperCut 17.3.0-17.3.3 - that have configured the server.force-host-header in the server.propertieS:
September 27, 2017, at 03:29 AM by 139.130.165.134 -
Changed line 9 from:
!!!!!Any site running PaperCut 17.3.0 or above:
to:
!!!!Any site running PaperCut 17.3.0 or above:
Changed lines 16-17 from:
!!!!!Sites running PaperCut 17.3.0 or above - [=that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]
to:
!!!!Sites running PaperCut 17.3.0 or above -
->
[=that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]
Changed lines 20-21 from:
!!!!!Sites running PaperCut 17.3.0-17.3.3 - [=that have configured the server.force-host-header in the server.properties=]
to:
!!!!Sites running PaperCut 17.3.0-17.3.3 -
->
[=that have configured the server.force-host-header in the server.properties=]
September 27, 2017, at 03:28 AM by 139.130.165.134 -
Changed line 9 from:
!!!!Any site running PaperCut 17.3.0 or above:
to:
!!!!!Any site running PaperCut 17.3.0 or above:
Changed line 16 from:
!!!!Sites running PaperCut 17.3.0 or above - [=that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]
to:
!!!!!Sites running PaperCut 17.3.0 or above - [=that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]
Changed line 19 from:
!!!!Sites running PaperCut 17.3.0-17.3.3 - [=that have configured the server.force-host-header in the server.properties=]
to:
!!!!!Sites running PaperCut 17.3.0-17.3.3 - [=that have configured the server.force-host-header in the server.properties=]
September 27, 2017, at 03:27 AM by 139.130.165.134 -
Changed line 16 from:
!!!!Sites running PaperCut 17.3.0 or above - [=that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]:
to:
!!!!Sites running PaperCut 17.3.0 or above - [=that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]
Changed line 19 from:
!!!!Sites running PaperCut 17.3.0-17.3.3 - [=that have configured the server.force-host-header in the server.properties=]:
to:
!!!!Sites running PaperCut 17.3.0-17.3.3 - [=that have configured the server.force-host-header in the server.properties=]
September 27, 2017, at 03:26 AM by 139.130.165.134 -
Changed line 16 from:
!!!!Sites running PaperCut 17.3.0 or above, that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut):
to:
!!!!Sites running PaperCut 17.3.0 or above - [=that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)=]:
Changed line 19 from:
!!!!Sites running PaperCut 17.3.0-17.3.3, that have configured the server.force-host-header in the server.properties:
to:
!!!!Sites running PaperCut 17.3.0-17.3.3 - [=that have configured the server.force-host-header in the server.properties=]:
September 27, 2017, at 03:24 AM by 139.130.165.134 -
Changed line 9 from:
!!!Any site running PaperCut 17.3.0 or above:
to:
!!!!Any site running PaperCut 17.3.0 or above:
Changed line 16 from:
!!!Sites running PaperCut 17.3.0 or above, that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut):
to:
!!!!Sites running PaperCut 17.3.0 or above, that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut):
Changed line 19 from:
!!!Sites running PaperCut 17.3.0-17.3.3, that have configured the server.force-host-header in the server.properties:
to:
!!!!Sites running PaperCut 17.3.0-17.3.3, that have configured the server.force-host-header in the server.properties:
September 27, 2017, at 03:24 AM by 139.130.165.134 -
Changed line 11 from:
--># In a text editor, open @@[app-path]/server/server.properties@@
to:
# In a text editor, open @@[app-path]/server/server.properties@@
Changed line 21 from:
OR
to:
-->''OR''
September 27, 2017, at 03:23 AM by 139.130.165.134 -
Changed lines 10-11 from:
->Disable the CSRF security enhancement:
# In a text editor, open @@[app-path]/server/server.properties@@
to:
Disable the CSRF security enhancement:
--># In a text editor, open @@[app-path]/server/server.properties@@
September 27, 2017, at 03:22 AM by 139.130.165.134 -
Changed line 10 from:
*Disable the CSRF security enhancement:
to:
->Disable the CSRF security enhancement:
September 27, 2017, at 03:21 AM by 139.130.165.134 -
Changed lines 11-14 from:
-># In a text editor, open @@[app-path]/server/server.properties@@
-># Either, search for and find the line: @@server.csrf-check.validate-request-origin@@, or add a new line: @@server.csrf-check.validate-request-origin@@
-># Set @@server.csrf-check.validate-request-origin@@ to @@N@@.
-># Restart the service PaperCut Application Server.
to:
# In a text editor, open @@[app-path]/server/server.properties@@
# Either, search for and find the line: @@server.csrf-check.validate-request-origin@@, or add a new line: @@server.csrf-check.validate-request-origin@@
# Set @@server.csrf-check.validate-request-origin@@ to @@N@@.
# Restart the service PaperCut Application Server.
September 27, 2017, at 03:21 AM by 139.130.165.134 -
Changed lines 5-8 from:
\\This has been resolved in PaperCut 17.3.4, only for sites that experienced the issue due to having configured the server.force-host-header in the server.properties. However, sites that use a non-standard reverse proxy server configuration (i.e. when the host header is overridden by the proxy running in front of PaperCut), may continue to experience this issue, even after upgrading to PaperCut 17.3.4 (or above).

\\Depending on the site and the version of PaperCut being run, the following resolutions may apply:
to:
This has been resolved in PaperCut 17.3.4, only for sites that experienced the issue due to having configured the server.force-host-header in the server.properties. However, sites that use a non-standard reverse proxy server configuration (i.e. when the host header is overridden by the proxy running in front of PaperCut), may continue to experience this issue, even after upgrading to PaperCut 17.3.4 (or above).

Depending on the site and the version of PaperCut being run, the following resolutions may apply:
Changed lines 11-14 from:
-< # In a text editor, open @@[app-path]/server/server.properties@@
-< # Either, search for and find the line: @@server.csrf-check.validate-request-origin@@, or add a new line: @@server.csrf-check.validate-request-origin@@
-< # Set @@server.csrf-check.validate-request-origin@@ to @@N@@.
-< # Restart the service PaperCut Application Server.
to:
-># In a text editor, open @@[app-path]/server/server.properties@@
-># Either, search for and find the line: @@server.csrf-check.validate-request-origin@@, or add a new line: @@server.csrf-check.validate-request-origin@@
-># Set @@server.csrf-check.validate-request-origin@@ to @@N@@.
-># Restart the service PaperCut Application Server.
September 27, 2017, at 03:19 AM by 139.130.165.134 -
Changed lines 3-13 from:
PaperCut 17.3 has introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message. This can be resolved by any one of the following methods:

!!!Entirely disabling
the CSRF security enhancement:
# In a text editor, open @@[app-path]/
server/server.properties@@
# Either
, search for and find the line: @@server.csrf-check.validate-request-origin@@, or add a new line: @@server.csrf-check.validate-request-origin@@
# Set @@server.csrf-check.validate-request-origin@@ to @@N@@.
# Restart the service
PaperCut Application Server.

!!!Retaining the CSRF security enhancement:
*'''when the host header is overridden by the proxy running in front of
PaperCut''' [= - update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header.=]
*'''when the host header is overridden by the “server.force
-host-header” in server.properties''' [= - update the infrastructure so it doesn’t require host header overrides.=]
to:
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message.

\\
This has been resolved in PaperCut 17.3.4, only for sites that experienced the issue due to having configured the server.force-host-header in the server.properties. However, sites that use a non-standard reverse proxy server configuration (i.e. when the host header is overridden by the proxy running in front of PaperCut), may continue to experience this issue, even after upgrading to PaperCut 17.3.4 (or above).

\\Depending on the site and the version of
PaperCut being run, the following resolutions may apply:

!!!Any site running PaperCut 17.3.0 or above:
*Disable
the CSRF security enhancement:
-< # In a text editor, open @@[app
-path]/server/server.properties@@
-< # Either, search for and find the line: @@server
.csrf-check.validate-request-origin@@, or add a new line: @@server.csrf-check.validate-request-origin@@
-< # Set @@server.csrf-check.validate-request-origin@@ to @@N@@.
-< # Restart the service PaperCut Application Server.

!!!Sites running PaperCut 17.3.0 or above, that use a non-standard reverse proxy server configuration (i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut):
*Update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header

!!!Sites running PaperCut 17.3.0-17.3.3, that have configured the server.force-host-header in the server.properties:
*upgrade to PaperCut 17.3.4 (or above)
OR
*update the infrastructure so it doesn’t require host header overrides.
September 20, 2017, at 01:10 PM by 49.199.120.252 -
Changed lines 7-8 from:
# Either, search for and find the config key: @@server.csrf-check.validate-request-origin@@, or add a new line with the config key: @@server.csrf-check.validate-request-origin@@
# Set the config key @@server.csrf-check.validate-request-origin@@ to @@N@@.
to:
# Either, search for and find the line: @@server.csrf-check.validate-request-origin@@, or add a new line: @@server.csrf-check.validate-request-origin@@
# Set @@server.csrf-check.validate-request-origin@@ to @@N@@.
September 15, 2017, at 09:34 AM by 139.130.165.134 -
Changed lines 12-14 from:
*'''when the host header is overridden by the proxy running in front of PaperCut''' [= -update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header.=]
*'''when the host header is overridden by the “server.force-host-header” in server.properties'''
-->update the infrastructure so it doesn’t require host header overrides.
to:
*'''when the host header is overridden by the proxy running in front of PaperCut''' [= - update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header.=]
*'''when the host header is overridden by the “server.force-host-header” in server.properties''' [= - update the infrastructure so it doesn’t require host header overrides.=]
September 15, 2017, at 09:34 AM by 139.130.165.134 -
Changed lines 12-13 from:
*'''when the host header is overridden by the proxy running in front of PaperCut'''
-->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
to:
*'''when the host header is overridden by the proxy running in front of PaperCut''' [= -update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header.=]
September 15, 2017, at 09:32 AM by 139.130.165.134 -
Changed line 13 from:
->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
to:
-->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
Changed line 15 from:
->update the infrastructure so it doesn’t require host header overrides.
to:
-->update the infrastructure so it doesn’t require host header overrides.
September 15, 2017, at 09:32 AM by 139.130.165.134 -
Changed line 13 from:
-->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
to:
->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
Changed line 15 from:
-->update the infrastructure so it doesn’t require host header overrides.
to:
->update the infrastructure so it doesn’t require host header overrides.
September 15, 2017, at 09:32 AM by 139.130.165.134 -
Changed lines 12-15 from:
->'''when the host header is overridden by the proxy running in front of PaperCut'''
*update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
->'''when the host header is overridden by the “server.force-host-header” in server.properties'''
*update the infrastructure so it doesn’t require host header overrides.
to:
*'''when the host header is overridden by the proxy running in front of PaperCut'''
-->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
*'''when the host header is overridden by the “server.force-host-header” in server.properties'''
-->update the infrastructure so it doesn’t require host header overrides.
September 15, 2017, at 09:31 AM by 139.130.165.134 -
Changed line 13 from:
-->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
to:
*update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
Changed line 15 from:
-->update the infrastructure so it doesn’t require host header overrides.
to:
*update the infrastructure so it doesn’t require host header overrides.
September 15, 2017, at 09:30 AM by 139.130.165.134 -
Changed lines 12-15 from:
->!!!!when the host header is overridden by the proxy running in front of PaperCut -
---->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
->!!!!when the host header is overridden by the “server.force-host-header” in server.properties
---->update the infrastructure so it doesn’t require host header overrides.
to:
->'''when the host header is overridden by the proxy running in front of PaperCut'''
-->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
->'''when the host header is overridden by the “server.force-host-header” in server.properties'''
-->update the infrastructure so it doesn’t require host header overrides.
September 15, 2017, at 09:29 AM by 139.130.165.134 -
Changed lines 12-15 from:
!!!!when the host header is overridden by the proxy running in front of PaperCut -
* update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
!!!!when the host header is overridden by the “server.force-host-header” in server.properties
*update the infrastructure so it doesn’t require host header overrides.
to:
->!!!!when the host header is overridden by the proxy running in front of PaperCut -
---->update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
->!!!!when the host header is overridden by the “server.force-host-header” in server.properties
---->update the infrastructure so it doesn’t require host header overrides.
September 15, 2017, at 09:28 AM by 139.130.165.134 -
Changed lines 6-8 from:
# In a text editor, open [app-path]/server/server.properties
# Either, search for and find the config key: server.csrf-check.validate-request-origin, or add a new line with the config key: server.csrf-check.validate-request-origin
# Set the config key server.csrf-check.validate-request-origin to N.
to:
# In a text editor, open @@[app-path]/server/server.properties@@
# Either, search for and find the config key: @@server.csrf-check.validate-request-origin@@, or add a new line with the config key: @@server.csrf-check.validate-request-origin@@
# Set the config key @@server.csrf-check.validate-request-origin@@ to @@N@@.
September 15, 2017, at 09:26 AM by 139.130.165.134 -
Changed lines 7-10 from:
# Either, search for and find the config key: [[<<]]
server.csrf-check.validate-request-origin [[<<]]
or add a new line with the config key: [[<<]]
server.csrf-check.validate-request-origin
to:
# Either, search for and find the config key: server.csrf-check.validate-request-origin, or add a new line with the config key: server.csrf-check.validate-request-origin
September 15, 2017, at 09:25 AM by 139.130.165.134 -
Changed lines 6-9 from:
* In a text editor, open [app-path]/server/server.properties
* Either, search for and find the config key: server.csrf-check.validate-request-origin, or add a new line with the config key: server.csrf-check.validate-request-origin
* Set the config key server.csrf-check.validate-request-origin to N.
* Restart the service PaperCut Application Server.
to:
# In a text editor, open [app-path]/server/server.properties
# Either, search for and find the config key: [[<<]]
server.csrf-check.validate-request-origin [[<<]]
or add a new line with the config key: [[<<]]
server.csrf-check.validate-request-origin
# Set the config key server.csrf-check.validate-request-origin to N.
# Restart the service PaperCut Application Server.
September 15, 2017, at 09:23 AM by 139.130.165.134 -
Deleted lines 2-3:

!Background
September 15, 2017, at 09:23 AM by 139.130.165.134 -
Changed line 7 from:
!!Entirely disabling the CSRF security enhancement:
to:
!!!Entirely disabling the CSRF security enhancement:
Changed lines 13-14 from:
!!Retaining the CSRF security enhancement:
!!!when the host header is overridden by the proxy running in front of PaperCut -
to:
!!!Retaining the CSRF security enhancement:
!!!!when the host header is overridden by the proxy running in front of PaperCut -
Changed line 16 from:
!!!when the host header is overridden by the “server.force-host-header” in server.properties
to:
!!!!when the host header is overridden by the “server.force-host-header” in server.properties
September 15, 2017, at 09:22 AM by 139.130.165.134 -
Changed line 11 from:
Restart the service PaperCut Application Server.
to:
* Restart the service PaperCut Application Server.
September 15, 2017, at 09:21 AM by 139.130.165.134 -
Changed lines 5-17 from:
PaperCut MF/NG 17.3.2 introduced security enhancements that improved coverage of HTTP header origin checks in both the Admin and User web interface, in line with [[http://www.owasp.org/|OWASP]] recommendations.

This enhancement can however produce a CSRF validation error for users trying to login to the Admin and User Web Interface in certain environments.

!!Troubleshooting steps based on your environment
!!!If your proxy running in front of PaperCut MF/NG overrides
the Host header, then:
*switch off request origin validation by setting [@server.csrf-check.validate-request-origin=N@] in [@[app-dir]/server/server.properties@] and restart the Application Server OR
*instead of overriding the Host header, update your proxy configuration to rely on the X
-Forwarded-Host header.
For example, when using mod_proxy with Apache, do not use "mod_rewrite" to change the HOST header
.

!!!If the "server.force-host-header" in server.properties overrides the Host header, then:
*switch off request origin validation by setting [@server.csrf
-check.validate-request-origin=N@] in [@[app-dir]/server/server.properties@] and restart the Application Server OR
*update your infrastructure so it doesn’t require Host
header overrides.
to:
PaperCut 17.3 has introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with [[http://www.owasp.org/|OWASP]]  recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF validation error message. This can be resolved by any one of the following methods:

!!Entirely disabling
the CSRF security enhancement:
* In a text editor, open [app-path]/server/server.properties
* Either, search for
and find the config key: server.csrf-check.validate-request-origin, or add a new line with the config key: server.csrf-check.validate-request-origin
* Set the config key server.csrf-check.validate-request-origin to N.
Restart the service PaperCut Application Server
.

!!Retaining the CSRF security enhancement:
!!!when
the host header is overridden by the proxy running in front of PaperCut -
* update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header. For example, when using mod_proxy with Apache, do not use “mod_rewrite” to change the host header.
!!!when the host header is overridden by the “server.force-host-header” in server.properties
*update the infrastructure so it doesn’t require host
header overrides.
September 15, 2017, at 05:13 AM by Willem Groenewald -
Deleted lines 17-18:

September 15, 2017, at 04:58 AM by Willem Groenewald -
Changed line 16 from:
*switch off request origin validation by setting [@server.csrf-check.validate-request-origin=N@] in[@ [app-dir]/server/server.properties@] and restart the Application Server OR
to:
*switch off request origin validation by setting [@server.csrf-check.validate-request-origin=N@] in [@[app-dir]/server/server.properties@] and restart the Application Server OR
September 15, 2017, at 04:55 AM by Willem Groenewald -
Changed line 11 from:
*switch off "server.csrf-check.validate-request-origin" in server.properties OR
to:
*switch off request origin validation by setting [@server.csrf-check.validate-request-origin=N@] in [@[app-dir]/server/server.properties@] and restart the Application Server OR
Changed line 16 from:
*switch off "server.csrf-check.validate-request-origin" in server.properties OR
to:
*switch off request origin validation by setting [@server.csrf-check.validate-request-origin=N@] in[@ [app-dir]/server/server.properties@] and restart the Application Server OR
Added line 18:
September 15, 2017, at 04:03 AM by 139.130.165.134 -
Added lines 1-23:
(:title CSRF validation error:)


!Background
PaperCut MF/NG 17.3.2 introduced security enhancements that improved coverage of HTTP header origin checks in both the Admin and User web interface, in line with [[http://www.owasp.org/|OWASP]] recommendations.

This enhancement can however produce a CSRF validation error for users trying to login to the Admin and User Web Interface in certain environments.

!!Troubleshooting steps based on your environment
!!!If your proxy running in front of PaperCut MF/NG overrides the Host header, then:
*switch off "server.csrf-check.validate-request-origin" in server.properties OR
*instead of overriding the Host header, update your proxy configuration to rely on the X-Forwarded-Host header.
For example, when using mod_proxy with Apache, do not use "mod_rewrite" to change the HOST header.

!!!If the "server.force-host-header" in server.properties overrides the Host header, then:
*switch off "server.csrf-check.validate-request-origin" in server.properties OR
*update your infrastructure so it doesn’t require Host header overrides.


----
''Categories:'' [[Category.Troubleshooting|+]],
----
[-Keywords: CSRF validation error-]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on November 12, 2017, at 11:55 PM
Printable View   |   Article History   |   Edit Article