Files added to the Activities, Blogs, Wikis, Forums, or
Files applications could potentially contain malicious code that can
exploit the cross-site scripting vulnerabilities of some browsers.
You can add rewrite rules to the IBM® HTTP
Server configuration file to force any downloaded files to be recognized
by the web browser as content that is independent from the application
from which it was downloaded, and treat it accordingly.
Before you begin
Most web browsers have security applications that prevent
scripts which originate from one domain from accessing information
in a browser session in another domain. This security application
is loosely called the same origin policy. A domain is
made up of a protocol (such as HTTP) and the domain (host name) that
the page is loaded from. You can implement the following procedure
to force files downloaded from Activities, Blogs, Files, or Forums
to be identified as coming from a different domain than the application's
web browser session. Note: When Siteminder is configured, the cookie
domain is determined by the Siteminder CookieDomain configuration,
which defines a single, fixed domain in IBM HTTP
Server. This means without additional effort, downloads must share
single sign-on with the application if Siteminder is used. See Mitigating
a cross site scripting attack for more information about this
risk.
Procedure
- Register a new DNS domain alias for downloads from the
Activities, Blogs, or Files sites, which points to the Activities,
Blogs, Files, or Forums domain respectively. For example, if your
server domain name for Activities is
activities.example.com,
you could name the alias activities-downloads.example.com and
have it point to the same IP address as activities.example.com does.
- You might need a secondary certificate for the download
domain. If so, get the certificate and configure it for use through
the virtual host options. See the IBM HTTP
Server documentation for more information.
- Open the httpd.conf file, which is
the configuration file for IBM HTTP
Server, in a text editor. By default, the file is stored in the following
directory:
- AIX®: /usr/IBM/HTTPServer/conf
- Linux®: /opt/IBM/HTTPServer/conf
- Microsoft® Windows®:
C:\IBM\HTTPServer\conf
- Enable the rewrite module. If the following line of text
is commented out, uncomment it. If the statement is not present, add
it.
LoadModule rewrite_module modules/mod_rewrite.so
-
Edit the configuration to indicate that the download domain allows download and login actions
only and forbids all other actions. To do so, add the following block of text to the non-encrypted
connection, virtual host section of the configuration file:
- Activities:
RewriteEngine On
RewriteCond %{SERVER_NAME} !activities-downloads.example.com$ [NC]
RewriteCond $1 !.*activitiesExtendedDescription.*$ [NC]
RewriteRule ^/activities/service/download/(.+)$ http://activities-downloads.example.com/activities/service/download/$1 [L]
RewriteCond %{SERVER_NAME} ^activities-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/activities/auth/j_security_check$
RewriteRule .* - [F]
RewriteCond %{SERVER_NAME} ^activities-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/activities/auth/login.jsp$
RewriteCond %{REQUEST_URI} !^/activities/auth/j_security_check$
RewriteCond %{REQUEST_URI} !^/activities/nav/.+$
RewriteCond %{REQUEST_URI} !^/activities/bundles/.+$
RewriteCond %{REQUEST_URI} !^/activities/styles/.+$
RewriteCond %{REQUEST_URI} !^/activities/javascript/.+$
RewriteRule !^/activities/service/download/(.+)$ - [F]
- Blogs:
RewriteEngine On
RewriteCond %{SERVER_NAME} !^blogs-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
RewriteRule ^/blogs/(.+)/resource(/.+)?$ http://blogs-downloads.example.com/
blogs/$1/resource$2 [L]
RewriteCond %{SERVER_NAME} ^blogs-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/blogs/j_security_check$
RewriteRule .* - [F]
RewriteCond %{SERVER_NAME} ^blogs-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/login.do$
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/login-redirect.jsp$
RewriteCond %{REQUEST_URI} !^/blogs/j_security_check$
RewriteCond %{REQUEST_URI} !^/blogs/bundles/css/.+$
RewriteCond %{REQUEST_URI} !^/blogs/nav/.+$
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/images/.+$
RewriteCond %{REQUEST_URI} !^/blogs/.+/resource(/.+)?$
RewriteRule .* - [F]
- Files:
For Files:
RewriteEngine On
RewriteCond %{SERVER_NAME} !^files-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
RewriteRule ^/files(/.*)?/(document|draft|attachment|version)/([^/]*)/media(/[^/]*/*)?$ http://files-downloads.example.com/files$1/$2/$3/media$4 [L]
# If SSL is enabled for the component, remove the commenting from the
# following lines to redirect the login.
# RewriteCond %{SERVER_NAME} ^files-downloads.example.com$ [NC]
# RewriteRule ^/files/login$ https://files-downloads.example.com/files/login [L]
RewriteCond %{SERVER_NAME} ^files-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/files/j_security_check$
RewriteRule .* - [F]
RewriteCond %{SERVER_NAME} ^files-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/files/login$
RewriteCond %{REQUEST_URI} !^/files/j_security_check$
RewriteCond %{REQUEST_URI} !^/files/images/.+$
RewriteCond %{REQUEST_URI} !^/files/nav/.+$
RewriteCond %{REQUEST_URI} !^/files/js/.+$
RewriteCond %{REQUEST_URI} !^/files(/.*)?/(document|draft|attachment|version)/([^/]*)/media(/[^/]*/*)?$
# If the IHS fast file serving module (mod_ibm_local_redirect.so) is enabled,
# then you need to add access on the download domain for the alias you added
# when configuring the module by replacing <FILES_CONTENT_DIR> with this value
# and uncommenting the following rule.
# See Configuring Files and Wikis downloading for production deployments
# RewriteCond %{REQUEST_URI} !^/<FILES_CONTENT_DIR>/.+$
RewriteRule .* - [F]
- Forums:
RewriteEngine On
RewriteCond %{SERVER_NAME} !forums-downloads.example.com$ [NC]
RewriteCond $1 !.*forumsExtendedDescription.*$ [NC]
RewriteRule ^/forums/service/download/(.+)$ http://forums-downloads.example.com/forums/service/download/$1 [L]
RewriteCond %{SERVER_NAME} ^forums-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/forums/auth/j_security_check$
RewriteRule .* - [F]
RewriteCond %{SERVER_NAME} ^forums-downloads.example.com$ [NC]
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
RewriteCond %{REQUEST_URI} !^/forums/auth/login.jsp$
RewriteCond %{REQUEST_URI} !^/forums/auth/j_security_check$
RewriteCond %{REQUEST_URI} !^/forums/nav/.+$
RewriteCond %{REQUEST_URI} !^/forums/bundles/.+$
RewriteCond %{REQUEST_URI} !^/forums/styles/.+$
RewriteCond %{REQUEST_URI} !^/forums/javascript/.+$
RewriteRule !^/forums/service/download/(.+)$ - [F]
-
Note: If you are cutting and pasting these statements into the configuration file, be advised that
we have added hard returns to long statements to enable them to be displayed on the web page. Be
sure to remove the hard-coded returns from long statements, such as URLs, after you paste them into
the configuration file.
Replace references to .example.com with the alias that you created for the download domain for
files downloaded from the application.
-
If you are sending encrypted connection traffic, add the same set of statements to the
encrypted connection (SSL) virtual host section of the configuration file, but update all web
address references to indicate HTTPS instead of HTTP.
Note: There are a few statements in the snippets for Files that must be either included or commented
out depending on whether or not a encrypted connection is enabled.
- Add the rule in the previous step to any virtual host sections
of the configuration file.
- Save and close the configuration file.