CSRF validation error

THE PAGE APPLIES TO:

Contents

Overview

CSRF validation configs have moved as of PaperCut 23.0.8

From PaperCut 23.0.8 on, the config keys related to CSRF validation have moved. Now are they called security.csrf-check.validate-request-origin and security.csrf-check.deny-unknown-origin respectively, under the path of [app-path]/server/security.properties. They continue to function much like their predecessors.

Note the first words of the config keys are now security, instead of server.

A further third config key has also been added as part of this change. It is security.csrf-check.allowed-domain-list. This is to accommodate the need to have general CSRF validations on while allowing specific domains to send POST requests to your PaperCut server.

You may add semicolon (";") separated values as a single string to cover the domains you would like to allow POST requests to come through. PaperCut will allow requests from domains that end with the entire length of at least one of the semicolon separated values. This can be useful for servers that run payment gateways.

The values inside this string can be used to allow POST backs from defined domains if:

The domain where the POST request originates from ends with your defined value. E.g. “ www.paypal.com ” ends with “ paypal.com ”, so if you add “ paypal.com ” to the security.csrf-check.allowed-domain-list, any POST requests from domain “ www.paypal.com ” will be allowed through. If you need to add multiple values, you may do something like “ paypal.com ; nelnet.com ”; AND
The defined “allowed domain” value has at least 5 characters. E.g. “.com” will be considered too short because it only has 4 characters. In the interest of your security, be as specific as possible. For example, “ paypal.com ” is better than “ l.com ”, although both are permitted. This rule applies to each part that is separated by the semicolon(s). Any part that is shorter than 5 characters will not take effect; AND
The domains added to the security.properties file do not support wild card expressions such as *.

About The Security Properties File

The changes mentioned above will only be automatically visible to you as an admin if your PaperCut 23.0.8 is a fresh install.

Due to the fact that we cannot overwrite your security.properties file, if you are upgrading your server to version 23.0.8, you will need to manually add the 3 new security config values to the security.properties file, with 2 values mirroring their predecessors inside server.properties and 1 brand new value that came into effect as of PaperCut 23.0.8. You will likely need admin privilege for the OS to edit the security.properties file.

The old values inside server.properties are now no longer functional and the server will no longer take their values into considerations. You may safely delete them, (or not).

The security.properties.template has a good example of what you need to put in the new file. You may copy and paste the related content from there.

Past History

PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with OWASP recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF (Cross Site Request Forgery) validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site’s proxy configuration and the way it was configured to handle host header overrides).

This has been resolved in PaperCut 17.3.4, only for sites using a standard proxy server configuration to redirect users to new pages (i.e. sites using the server.force-host-header in the server.properties file, to configure the proxy to override host headers).

However, this issue will continue to persist for sites using a non-standard reverse proxy server configuration to redirect users to new pages (i.e. sites using a proxy running in FRONT of PaperCut, to override host headers).

Depending on a site’s proxy configuration and the version of PaperCut being run, the following resolutions may apply:

Any site with any proxy server configuration, running PaperCut 17.3.0 or above but below 23.0.8:

Disable the CSRF security enhancement:

In a text editor, open [app-path]/server/server.properties
Either, search for and find the line: server.csrf-check.validate-request-origin, or add a new line: server.csrf-check.validate-request-origin
Set server.csrf-check.validate-request-origin to N.
Restart the service PaperCut Application Server.

Note: When editing an existing setting, please remove the leading # character.

Sites with a non-standard reverse proxy server configuration, running PaperCut 17.3.0 or above:

(i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)

Update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header

Sites with a standard proxy server configuration (server.force-host-header) , running PaperCut 17.3.0–17.3.3:

upgrade to PaperCut 17.3.4 (or above)

OR
update the infrastructure so it doesn’t require host header overrides.

Other known issues:

Requests to the PaperCut server will fail CSRF validation if the host name contains an underscore (“_”). This is due to a known JRE bug.

Categories: Troubleshooting Articles , Security and Privacy

Keywords: CSRF validation error

Comments

Last updated May 7, 2024