Mailing List CGatePro@mail.stalker.com Message #97129
From: Wayne Gamble <rfecgate@rfe.net>
Subject: Re: CrossDomain.xml
Date: Mon, 26 Jan 2009 11:07:18 -0600
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.930.3)
AFAIK your server will not pass a PCI security scan as long as your crossdomain.xml file allows full access from all domains:

<cross-domain-policy>
        <allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

After upgrading to 5.2.12 I modified the file to restrict access to only users in my domain and restored access to webmail.   I then ordered a new security scan of my server which we passed.

 - Wayne

http://livedocs.adobe.com/flash/8/main/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001621.html

http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html


On Jan 24, 2009, at 2:32 PM, Jason Mader wrote:

Can someone elaborate on what customization is needed?


On Sat, 24 Jan 2009, Wayne Gamble wrote:

". . . his file can becustomized now in the Basic WebUser skin."

Outstanding!  Thanks for the quick fix.

- Wayne


On Jan 24, 2009, at 12:55 AM, Technical Support wrote:

Hello,
Wayne Gamble wrote:
I just went through this with support.  The CrossDomain.xml file is part of the CGate webmail binary and therefore cannot be edited or deleted. (It is only readable/downloadable when webmail is running.)
In the 5.2.12 version of CGPro (just released) this file can becustomized now in the Basic WebUser skin.
The only way we were able to pass the PCI security scan was to shut down all webmail on our server.
- Wayne
On Jan 23, 2009, at 12:52 PM, Thomas Kishel wrote:
Hello,
We subscribe to a security auditing service (McAfee SECURE) that just reported this:

 CrossDomain.xml File Has Allow-all Policy
 Port: 443
 Path: /crossdomain.xml

 <?xml version="1.0"?>
 <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy>
 <allow-access-from domain="*" to-ports="*" />
 </cross-domain-policy>
A file search (via locate) of the filesystem is negative.
A string search (via grep /usr/sbin/CommuniGatePro) finds it in CGServer.
We are running 5.2.9, but I find no potential references in the Revision History.
Anyone already familiar with resolving this?
-- Tom Kishel
Dark Horse Comics, Inc.
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
-- Best regards,
Dmitry Akindinov
= = = ====================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your
reply.
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>


#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

---Jason Mader, National Crash Analysis Center,
The George Washington University, VA Campus

#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster