none
Cross-domain and Client Access policies

    Question

  • Hi All,

    Recently we conducted Pen testing on our Skype server and it is showing the following vulnerability:

    http-cross-domain-policy: 
    
       VULNERABLE:
       Cross-domain and Client Access policies.
       State: VULNERABLE
       A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.
    
         Check results:
           /clientaccesspolicy.xml:
             <?xml version="1.0" encoding="utf-8" ?> 
             <access-policy>
               <cross-domain-access>
                 <policy>
                   <allow-from http-request-headers="*">        
                     <domain uri="https://server.DOMAIN.com.au"/>        
                     <domain uri="https://meeting.DOMAIN.com" />                
                   </allow-from>
                   <grant-to>
                     <resource path="/" include-subpaths="true"/> 
                   </grant-to>
                 </policy>
                 <policy>
                   <allow-from http-request-headers="*">
                     <domain uri="*" />
                   </allow-from>
                   <grant-to>
                     <resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" /> 
                   </grant-to>
                 </policy>
               </cross-domain-access>
             </access-policy>
    		 
      Extra information:
      Trusted domains:DOMAIN.com.au, DOMAIN.com, *

    I have been searching high and low however i have not been able to work out how to plug this hole.

    What i have learnt is that the clientaccesspolicy.xml needs to be updated from:

    <domain uri="*" />

    to explicitly specify a domain and/or domain(s).

    Searching our Skype server i can not find the clientaccesspolicy.xml. I attempted to create one and placed it under the wwwroot however this does not appear to have done anything.

    NOTE: I restarted the server after making the change.

    1. Does anyone know how to fix this?
    2. Am i missing something, should the clientaccesspolicy.xml be located somewhere? If so, where?
    3. If i do need to create and save the clientaccesspolicy.xml can anyone please tell me the correct .xml syntax and where it should be saved?

    Thanks in advance.

    Thursday, September 14, 2017 12:08 AM

All replies

  • Hi JustdaveIT,

    According to the error message, your problem is caused by the cross-domain access for your Skype Server. And it suggest you configure your server allow cross-domain access with a cross-domain policy file. And the clientaccesspolicy.xml only used in Silverlight application. So if your project is not a Silverlight project, you could not use clientaccesspolicy.xml.

    If you want to manage the access policy for your skype server, please refer to following document. Hope that could help you.

    https://technet.microsoft.com/en-us/library/gg520995(v=ocs.15).aspx

    Best Regards,
    Weiwei


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, September 14, 2017 5:12 AM
    Moderator