Cross-Site Request Forgery is a type of attack that occurs when a user who is logged in a web application interacts with an untrusted website in the same browser. The untrusted website can cause the user’s browser to submit requests (including the user’s cookies) to another site. An attacker could use this vulnerability to gain remote code execution to gain internal access to the terminal operating system.
You can enable protection from Cross-Site Request Forgery by adding the csrfProtection.ENABLED setting in the ecn4_settings_prod.xml file. By default, this setting is set to 'false'.
<!-This enables csrf protection for ecn4 application, default value is false.->
<component name="csrfProtection">
<setting name="ENABLED" value="true"/>
</component>
To enable protection against Cross-Site Request Forgery for ECN4Web:
Add the following setting to the ecn4_settings_prod.xml file in both places where it exists:
On the ECN4 host:
Windows default location: C:\ProgramData\Navis\ecn4\conf
Linux default location: /opt/navis/configuration/ecn4/conf
On the XPS host: C:\ProgramData\Navis\bridged\conf
<!-This enables csrf protection for ecn4 application, default value is false.->
<component name="csrfProtection">
<setting name="ENABLED" value="true"/>
</component>
After updating the files, restart the ECN4 service.
If you have custom ECN4Web extensions, you must update the code extension to pass tokens. Otherwise, ECN4 will throw a CSFR token violation error. The code extension needs to be modified in two places:
Add the following to the header:
<xsl:param name="csrfToken" required="no"/>
Add the csrfToken attribute to the che tag like this:
<che CHID="{$cheId} csrfToken="{$csrfToken} action="B">