CSRF validation error
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with OWASP recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF (Cross Site Request Forgery) validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site’s proxy configuration and the way it was configured to handle host header overrides).
This has been resolved in PaperCut 17.3.4, only for sites using a standard proxy server configuration to redirect users to new pages (i.e. sites using the server.force-host-header in the server.properties file, to configure the proxy to override host headers).
However, this issue will continue to persist for sites using a non-standard reverse proxy server configuration to redirect users to new pages (i.e. sites using a proxy running in FRONT of PaperCut, to override host headers).
Depending on a site’s proxy configuration and the version of PaperCut being run, the following resolutions may apply:
Any site with any proxy server configuration, running PaperCut 17.3.0 or above:
Disable the CSRF security enhancement:
- In a text editor, open
- Either, search for and find the line:
server.csrf-check.validate-request-origin, or add a new line:
- Restart the service PaperCut Application Server.
Sites with a non-standard reverse proxy server configuration, running PaperCut 17.3.0 or above:
(i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)
- Update the proxy configuration to rely on the X-Forwarded-Host header instead of overriding the host header
Sites with a standard proxy server configuration (server.force-host-header) , running PaperCut 17.3.0–17.3.3:
- upgrade to PaperCut 17.3.4 (or above)
- update the infrastructure so it doesn’t require host header overrides.
Other known issues:
Requests to the PaperCut server will fail CSRF validation if the host name contains an underscore (“_”). This is due to a known JRE bug.
Keywords: CSRF validation error