[jboss-jira] [JBoss JIRA] (AS7-4391) admin console proxying vs header Origin

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Wed Apr 4 08:21:47 EDT 2012 

     [ https://issues.jboss.org/browse/AS7-4391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated AS7-4391:
----------------------------------

             Fix Version/s: 7.1.2.Final-redhat1
    Workaround Description: 
This configuration directive removes the header from all requests:
RequestHeader unset Origin

THIS WORKAROUND WILL LEAVE ANY INSTALLATION VULNERABLE TO CROSS SITE SCRIPTING ATTACKS

  was:
This configuration directive removes the header from all requests:
RequestHeader unset Origin

               Description: 
When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.

Run the server on localhost for example by:
bin/domain.sh

Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):
ProxyPassReverseCookieDomain localhost <your server public hostname>
ProxyPassReverse / http://localhost:9990/
ProxyPass        / http://localhost:9990/

These should work:
open http://<your server public hostname> with firefox or IE - this should work
curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work

These fail:
open http://<your server public hostname> with chromium
curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/

What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work.

That protection of the domain management api was introduced in:
https://issues.jboss.org/browse/AS7-2400
https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273

  was:
When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.

Run the server on localhost for example by:
bin/domain.sh

Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):
ProxyPassReverseCookieDomain localhost <your server public hostname>
ProxyPassReverse / http://localhost:9990/
ProxyPass        / http://localhost:9990/

These should work:
open http://<your server public hostname> with firefox or IE - this should work
curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work

These fail:
open http://<your server public hostname> with chromium
curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/

What happens is that Chromium correctly sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. Console sees the mismatch and returns 403. Firefox and IE do not set that header so they work.

That protection of admin console was introduced in:
https://issues.jboss.org/browse/AS7-2400
https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273

               Component/s: Domain Management
                                (was: Console)

    
> admin console proxying vs header Origin
> ---------------------------------------
>
>                 Key: AS7-4391
>                 URL: https://issues.jboss.org/browse/AS7-4391
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 7.1.1.Final
>            Reporter: Aleksandar Kostadinov
>            Assignee: Darran Lofthouse
>             Fix For: 7.1.2.Final-redhat1
>
>
> When using a reverse proxy to access AS7 console and a browser that sets the header Origin, 403 is returned due to mismatch between Origin and Host headers.
> Run the server on localhost for example by:
> bin/domain.sh
> Run apache httpd with the following configuration (e.g. in /etc/httpd/conf.d/proxy_console.conf):
> ProxyPassReverseCookieDomain localhost <your server public hostname>
> ProxyPassReverse / http://localhost:9990/
> ProxyPass        / http://localhost:9990/
> These should work:
> open http://<your server public hostname> with firefox or IE - this should work
> curl -v -u "adminusername:adminpassword" --digest http://localhost:9990/management/ # on the server this should work
> These fail:
> open http://<your server public hostname> with chromium
> curl -v -u "adminusername:adminpassword" -H "Origin: http://<your server public hostname>" --digest http://localhost:9990/management/
> What happens is that Chromium sets the Origin header to the server public IP hostname. mod_proxy keeps that header but sets Host to localhost:9990. The domain management handler sees the mismatch and returns 403. Firefox and IE do not set that header so they work.
> That protection of the domain management api was introduced in:
> https://issues.jboss.org/browse/AS7-2400
> https://github.com/jbossas/jboss-as/commit/29cf3610d8dab1af0227842d877b926543b72273

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list