跨域和客户端访问策略 [英] Cross-domain and Client Access policies

问题描述

大家好，

最近我们在Skype服务器上进行了笔测试，它显示以下漏洞：

 http-cross-domain-policy：
 
 VULNERABLE：
跨域和客户端访问策略。 
状态：VULNERABLE 
跨域策略文件指定Web客户端（如Java，Adobe Flash，Adobe Reader等）用于跨不同域访问数据的权限。客户端访问策略文件类似于跨域策略，但用于M $ Silverlight应用程序。过度宽松的配置可实现跨站点请求伪造攻击，并可允许第三方访问针对用户的敏感数据。 
 
检查结果：
 /clientaccesspolicy.xml：
<？xml version =" 1.0"编码= QUOT; UTF-8英寸？> 
< access-policy> 
< cross-domain-access> 
< policy> 
< allow-from http-request-headers =" *"> 
< domain uri =" https://server.DOMAIN.com.au" /> 
< domain uri =" https：//meeting.DOMAIN.com" /> 
< / allow-from> 
< grant-to> 
< resource path =" /"包括-子路径= QUOT;真" /> 
< / grant-to> 
< / policy> 
< policy> 
< allow-from http-request-headers =" *"> 
< domain uri =" *" /> 
< / allow-from> 
< grant-to> 
< resource path =" /autodiscover/autodiscoverservice.svc"包括-子路径= QUOT;真" /> 
< / grant-to> 
< / policy> 
< / cross-domain-access> 
< / access-policy> 
 
额外信息：
可信域名：DOMAIN.com.au，DOMAIN.com，* 

我一直在搜索高低但是我还没有弄清楚如何堵塞这个洞。

我所学到的是 clientaccesspolicy.xml 需要更新来自：

< domain uri =" *" /> 

明确指定域名和/或域名。

搜索我们的Skype服务器我找不到  ;的 clientaccesspolicy.xml 即可。我尝试创建一个并将其放在wwwroot下但是这似乎没有做任何事情。

注意：我在进行更改后重新启动了服务器。

1. 有谁知道如何解决这个问题？
2. 我是否遗漏了某些内容，如果clientaccesspolicy.xml位于某处？如果是这样，在哪里？
3. 如果我确实需要创建并保存clientaccesspolicy.xml，那么有人可以告诉我正确的.xml语法以及它应该保存在哪里吗？

提前致谢。

解决方案

您好JustdaveIT，

根据错误消息，您的问题是由您的Skype服务器的跨域访问引起的。它建议您使用跨 - 域策略文件配置服务器允许跨域访问。而clientaccesspolicy.xml
仅在Silverlight应用程序中使用。因此，如果您的项目不是Silverlight项目，则无法使用
clientaccesspolicy.xml。

如果您想要管理Skype服务器的访问策略，请参考以下文档。希望对您有所帮助。

https://technet.microsoft.com/en-us/library/gg520995(v=ocs.15).aspx

最好的问候，

Weiwei

Hi All,

Recently we conducted Pen testing on our Skype server and it is showing the following vulnerability:

http-cross-domain-policy: 

   VULNERABLE:
   Cross-domain and Client Access policies.
   State: VULNERABLE
   A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.

     Check results:
       /clientaccesspolicy.xml:
         <?xml version="1.0" encoding="utf-8" ?> 
         <access-policy>
           <cross-domain-access>
             <policy>
               <allow-from http-request-headers="*">        
                 <domain uri="https://server.DOMAIN.com.au"/>        
                 <domain uri="https://meeting.DOMAIN.com" />                
               </allow-from>
               <grant-to>
                 <resource path="/" include-subpaths="true"/> 
               </grant-to>
             </policy>
             <policy>
               <allow-from http-request-headers="*">
                 <domain uri="*" />
               </allow-from>
               <grant-to>
                 <resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" /> 
               </grant-to>
             </policy>
           </cross-domain-access>
         </access-policy>
		 
  Extra information:
  Trusted domains:DOMAIN.com.au, DOMAIN.com, *

I have been searching high and low however i have not been able to work out how to plug this hole.

What i have learnt is that the clientaccesspolicy.xml needs to be updated from:

<domain uri="*" />

to explicitly specify a domain and/or domain(s).

Searching our Skype server i can not find the clientaccesspolicy.xml. I attempted to create one and placed it under the wwwroot however this does not appear to have done anything.

NOTE: I restarted the server after making the change.

1. Does anyone know how to fix this?
2. Am i missing something, should the clientaccesspolicy.xml be located somewhere? If so, where?
3. If i do need to create and save the clientaccesspolicy.xml can anyone please tell me the correct .xml syntax and where it should be saved?

Thanks in advance.

解决方案

Hi JustdaveIT,

According to the error message, your problem is caused by the cross-domain access for your Skype Server. And it suggest you configure your server allow cross-domain access with a cross-domain policy file. And the clientaccesspolicy.xml only used in Silverlight application. So if your project is not a Silverlight project, you could not use clientaccesspolicy.xml.

If you want to manage the access policy for your skype server, please refer to following document. Hope that could help you.

https://technet.microsoft.com/en-us/library/gg520995(v=ocs.15).aspx

Best Regards,
Weiwei

这篇关于跨域和客户端访问策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！