Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-2750

Remove alfresco.com remote endpoint - clients should not expose 3rd party web through their install.

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.1, 4.2.c Community
    • Fix Version/s: 5.0
    • Component/s: Web Scripts and Surf
    • Labels:
      None

      Description

      There are some default remote endpoints declared in Surf library.
      This exposes the alfresco.com website through unauthenticated access.

      Example
      http://loftux.com/demo/proxy/alfresco.com
      http://loftux.com/demo/proxy/alfresco-network <- This one also exposed, but redirects when called to a page not likely available on that tomcat server.

      These declared remote endpoints should be removed from a default alfresco install. I'm not sure this is a security issue, but most likely most Alfresco administrators is unaware of alfresco.com being exposed through their /share web.
      Better be safe than sorry here, remove or declare them <identity>admin</identity>

        Attachments

          Activity

            People

            • Assignee:
              closedissues Closed Issues
              Reporter:
              kroast Kevin Roast [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: