: Is a CSRF attack possible for an intranet site? I just downloaded Alfresco and I’m trying a few things on my own. After so much reading I managed to hide the 8080 URL from the site using

@Megan663

Even if you trust every person in your LAN and the server is only reachable from the LAN, you still need to secure it against CSRF.

Consider a user who visits an evil website. That website can now trigger requests with the user's IP and cookies, enabling CSRF attacks against your webserver if it has such vulnerabilities.

But "CSRF filter" sounds a bit weird. The standard CSRF prevention is to send a token (and verify it on the server) with every request that can cause a side-effect. It's important to put the token in a place that doesn't get filled in implicitly by the browser. POST data or custom http headers are fine, cookies and IP are not.

Vote Up Vote Down

@Karen161

Yes. It's possible that someone in your intranet is performing such an attack.
Even though it's not as likely as on the (wild-wild-wild) internet.

On the other hand you have to have something wrong in your configuration. the CSRF filter of alfresco (or alfresco itself, or on the tomcat container level) needs to have some configuration parameter to make CSRF filter work behind a proxy. Check the docs again..
Just a guess: Maybe you don't work correctly with X-Forwarded-For HTTP headers?

Vote Up Vote Down