CSRF vulnerability in Hippo CMS applicationIssue date: 12-04-2016
Affects versions: 10.2, 10.1, 10.0, 7.9, 7.8
Issue id: SECURITY-20
Through an external security report and subsequent further investigation by Hippo we discovered a security vulnerability within our Hippo CMS application.
Important to mention is that this vulnerability do not concern the delivery tier, e.g. websites managed and rendered through Hippo. The issue only applies to the CMS authoring web application, and require an logged in CMS user to exploit.
Hippo has implemented a fix for this vulnerability for all supported versions and provides new releases of the hippo-cms module to be able to upgrade your implementation of Hippo.
Hippo advises all customers to apply this fix by upgrading, detailed instructions are described further below.
The fixed vulnerability:
The fix has been implemented in the Hippo cms module through internal code changes only and only requires updating the <hippo.cms.version> in the <properties> section of a Hippo project root pom.xml.
The fix does require besides upgrading to the latest minor Hippo CMS 10.2.1, 10.1.3, 7.9.12, or 7.8.13 also a configuration change if you
- Access the cms instance over https
- Have a proxy offloading ssl in front of the CMS container
In this case, you need to configure haproxy, httpd, nginx etc to set the X-Forwarded-Proto header to https. The proxy that does the ssl offloading must set the X-Forwarded-Proto header to https. In httpd, this is for example achieved by including :
RequestHeader set X-Forwarded-Proto https
in the virtual host configuration, see configure apache httpd as reverse proxy for hippo. You can find online how to achieve this for haproxy or nginx or another proxy. If you do not set the X-Forwarded-Proto the CMS login over https will return:
http status code 400 - origin does not correspond to request
This vulnerability was discovered and reported by the nccgroup (http://www.nccgroup.trust)