Hi All,
Recently we conducted Pen testing on our Skype server and it is showing the following vulnerability:
http-cross-domain-policy:
VULNERABLE:
Cross-domain and Client Access policies.
State: VULNERABLE
A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.
Check results:
/clientaccesspolicy.xml:
<?xml version="1.0" encoding="utf-8" ?> <access-policy><cross-domain-access><policy><allow-from http-request-headers="*"> <domain uri="https://server.DOMAIN.com.au"/> <domain uri="https://meeting.DOMAIN.com" /> </allow-from><grant-to><resource path="/" include-subpaths="true"/> </grant-to></policy><policy><allow-from http-request-headers="*"><domain uri="*" /></allow-from><grant-to><resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" /> </grant-to></policy></cross-domain-access></access-policy>
Extra information:
Trusted domains:DOMAIN.com.au, DOMAIN.com, *I have been searching high and low however i have not been able to work out how to plug this hole.
What i have learnt is that the clientaccesspolicy.xml needs to be updated from:
<domain uri="*" />
to explicitly specify a domain and/or domain(s).
Searching our Skype server i can not find the clientaccesspolicy.xml. I attempted to create one and placed it under the wwwroot however this does not appear to have done anything.
NOTE: I restarted the server after making the change.
- Does anyone know how to fix this?
- Am i missing something, should the clientaccesspolicy.xml be located somewhere? If so, where?
- If i do need to create and save the clientaccesspolicy.xml can anyone please tell me the correct .xml syntax and where it should be saved?
Thanks in advance.