CSRF validation error
Last modified on 12 August 2020 11:12 PM
PaperCut 17.3 introduced a security enhancement to improve the coverage of HTTP header origin checks, in line with OWASP recommendations. However, in some cases, attempting to log into the Admin or User web interface after upgrading to 17.3, sometimes produces a CSRF (Cross Site Request Forgery) validation error message. This was based on the way the PaperCut web server was configured to redirect users to new pages (i.e. the site’s proxy configuration and the way it was configured to handle host header overrides).
This has been resolved in PaperCut 17.3.4, only for sites using a standard proxy server configuration to redirect users to new pages (i.e. sites using the server.force-host-header in the server.properties file, to configure the proxy to override host headers).
However, this issue will continue to persist for sites using a non-standard reverse proxy server configuration to redirect users to new pages (i.e. sites using a proxy running in FRONT of PaperCut, to override host headers).
Depending on a site’s proxy configuration and the version of PaperCut being run, the following resolutions may apply:
Any site with any proxy server configuration, running PaperCut 17.3.0 or above:
Disable the CSRF security enhancement:
Note: When editing an existing setting, please remove the leading # character.
Sites with a non-standard reverse proxy server configuration, running PaperCut 17.3.0 or above:
(i.e. host headers are overridden by a proxy that is configured to run in FRONT of PaperCut)
Sites with a standard proxy server configuration (server.force-host-header) , running PaperCut 17.3.0–17.3.3:
Other known issues:
Requests to the PaperCut server will fail CSRF validation if the host name contains an underscore (“_”). This is due to a known JRE bug.