[Xymon] Problems with Content Security Policy in Safari, Chrome, and IE

Hansen, Rene H rhansen21 at dxc.com
Wed Mar 21 13:18:30 CET 2018


Hello John



Please let me know if I should send to mailinglist. This my first call for help.



I'm having trouble with enadis. I'm not sure if it's completely the same as you describe here but it looks similar.



We have installed xymon-4.3.28-1.el7.x86_64.rpm (terabithia.org) If I need to play with changing cgi.c and recompiling will make install reinstall without need for changes?



When we try to run enadis from either info og from Enable/disable menu we get the following error in xymon-error.log

[Tue Mar 20 16:54:05.786245 2018] [cgi:error] [pid 9121] [client 172.28.56.243:60696] AH01215: 2018-03-20 16:54:05.786123 Enadis POST that is not coming from self or svcstatus (referer=https://xxxyyy.dk/xymon-seccgi/enadis.sh). Ignoring., referer: https:// xxxyyy.dk/xymon-seccgi/enadis.sh



I have tried to set XYMON_NOCSPHEADER="true" in either xymonserver.cfg or /etc/xymon/cgioptions.cfg but is doesn’t seem to make a difference



We have a httpd proxy in front were I had csp configured – but have tried to uncomment it and still gets the same error.

I have testet with Firefox 59.0 and Chrome (64.0.3282.186) where javascript doesn’t work with “Enable/disable menu” – and iexplorer (11.0.51)



(if I want to test directly without httpd/proxy I only have iexplorer v8)



(httpd/proxy )

        #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        #Header always set X-Frame-Options "SAMEORIGIN"

        #Header always set X-Content-Type-Options "nosniff"

        #Header always unset Content-Security-Policy

        #Header always set Content-Security-Policy "xdwsscript-src 'self'"

        #Header always set X-XSS-Protection "1; mode=block"

        #Header always set Referrer-Policy "no-referrer"

        #Header unset Server

        #Header set X-Frame-Options "DENY"



        SSLProxyEngine on

        #ProxyPreserveHost On

        ServerName  xxxyy.dk

        SSLProxyVerify none

        SSLProxyCheckPeerCN off

        SSLProxyCheckPeerName off

        SSLProxyCheckPeerExpire on

        ProxyPass /xymon https://xxxyyy.dk:443/xymon

        ProxyPassReverse /xymon https://xxx.xxx.xxx.xxx:443/xymon



        ProxyPass /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi

        ProxyPassReverse /xymon-cgi https://xxx.xxx.xxx.xxx:443/xymon-cgi



        ProxyPass /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/

        ProxyPassReverse /xymon-seccgi/ https://xxx.xxx.xxx.xxx:443/xymon-seccgi/



RENÉ HOIELT HANSEN

Senior Prof. Middleware System Engineer (EA&I)

DXC Technology

Retortvej 8, DK - 2500 Valby, Denmark, I-1-356

Mobile: +45 2923 5807

Email: rhansen21 at dxc.com

Leave information in advance: :   Out of office  both days included



-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of John Thurston
Sent: 9. november 2017 20:26
To: xymon at xymon.com
Subject: Re: [Xymon] Problems with Content Security Policy in Safari, Chrome, and IE



On 11/8/2017 7:40 PM, Jonathan Trott wrote:

> Xymon 4.3.28-1.el7.terabithia with Safari 11 on High Sierra and Safari on iOS 11.

> Problem occurs on the trends page.

>

> https://xymon.domain.com.au/xymon-cgi/svcstatus.sh?HOST=host.com.au&SE

> RVICE=trends

>

> If you click on any of the time based buttons, 48hrs for example, the requested page doesn't load.

> Safari on macOS look like it's loading a page but doesn't get anywhere.



I'm able to duplicate this failure when building 4.3.28 from source on Solaris 10. It looks to me like the fix is to add "allow-same-origin" in lib/cgi.c to line 278



> else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol =

> strdup("script-src 'self' 'unsafe-inline'; connect-src 'self';

> form-action 'self'; sandbox allow-forms allow-scripts

> allow-same-origin;");

>



How many other pages are broken in a similar manner? I'm not a big user of Google Chrome, so depend on my customers to report these breaks to me.



Each of the following pages gets a specif CSP:

> "enadis"

> "useradm"

> "chpasswd"

> "ackinfo"

> "acknowledge"

> "criticaleditor"

> "svcstatus-trends

> "svcstatus-info"

> "svcstatus"

> "historylog"



svcstatus-info and -trends are special cases of the general purpose svcstatus case.



I've done spot-checks of these other pages with my copy of Chrome and they seem to behave correctly. Anyone else wanna check their browser/OS combinations and report back?



--

    Do things because you should, not just because you can.



John Thurston    907-465-8591

John.Thurston at alaska.gov<mailto:John.Thurston at alaska.gov>

Department of Administration

State of Alaska

_______________________________________________

Xymon mailing list

Xymon at xymon.com<mailto:Xymon at xymon.com>

http://lists.xymon.com/mailman/listinfo/xymon

CSC Danmark A/S - Registered Office: Retortvej 8, DK - 2500 Valby, Denmark - Registered in Denmark No: 15231599.
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20180321/19b13278/attachment.html>


More information about the Xymon mailing list