After applying the latest CU to 9.1SP1 or upgrading to 9.1 SP2, users can encounter a 403 Forbidden: Access is Denied error in various areas throughout the product.
The issue is caused by a fix implemented in an earlier 9.1SP1 CU and 9.1 SP2. This fix implemented a security module for CSRF protection.
There are now two versions of this module. Please see the sections below to determine where you should be modifying.
Please make note of any customizations you have made to this file as changes will be wiped out when applying CU's or upgrading in the future.
9.1 SP2 CU 3 and up
- 23232 - New support for custom security module whitelist.
To better support custom entries to the security module, a new whitelist configuration file was added to the site root for any additions you may need specific to your configuration. Examples of how to add to the whitelist entries are included as comments within the configuration file.
File: [site root]/ektron.cms.security.whitelist.config
9.1 SP1 CU's - 9.1 SP2 CU 2
Found in Ektron release notes:
- 17917 - A security issue involving malicious content modification was addressed. See the following details about the CSRF Vulnerability.
Important! CSRF Vulnerability
A CSRF vulnerability was found whereby a malicious user could craft a request which could be potentially executed by tricking an authenticated CMS user into carrying out the request. An attacker may formulate this request in the form of a hyperlink, image load, or XMLHttpRequest.
A security module to protect against such attacks has been implemented. This module validates that all requests to CMS URLs have been initiated from a trusted source. You may add URLs that should not be validated to a whitelist to allow for automated non-localhost access to those URLs. This change includes 1 new module and a reference to it within the site
web.config
file. You may add a whitelist of non-protected URLs to the file:[site] \App_Code\CSCode\HttpModules\SecurityModule.cs
.To update this whitelist, open
SecurityModule.cs
and add to the whitelist as follows:public static List whitelist = new List { "login.aspx", "services", "webservices", "downloadasset.aspx", "workarea.aspx" };
You can add individual files and Workarea folders to the whitelist.
To resolve the issue, modify the SecurityModule.cs file. This will cause the site to recompile.
- Navigate to site\App_Code\CSCode\HttpModules and open the SecurityModule.cs file
- Find the following entry in the code: public static List whitelist = new List
{
"login.aspx", "services", "webservices", "downloadasset.aspx", "workarea.aspx", "contentdesigner", "editarea.aspx"
}; - Add the template that is throwing the 403 error to the whitelisted files. For example, in the picture above, the devicepreview.aspx template is throwing the error
- It should now read as follows (this code is specific to devicepreview, you may need to add a different file to the whitelist): public static List whitelist = new List
{
"login.aspx", "services", "webservices", "downloadasset.aspx", "workarea.aspx", "contentdesigner", "devicepreview.aspx"
}; - Retest the behavior
Note: If the file resides in a folder other than the Workarea, you need to add the folder path to the file in the whitelist. For example, "testfolder/testfile.aspx". Also, the entries must be in all lower case letters.
Please sign in to leave a comment.