• Disable access to localhost/OpenKM/services/*

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #53065  by moealiassaad
 
Hello,

We have performed a pentest to openkm app, and there were two issues that need to be fixed related to webservices page.

The first issue: lack of authentication to access the url www.url.com/OpenKM/services. The recommended mitigation action was to either setup authentication on this page or disable it.
May you guide us please on how to perform one of these two actions?

The second issue: technical information disclosure, also on /OpenKM/services/* and /OpenKM/services/rest/swagger.json.
The mitigation action proposed for this one is either define customized error messages, or generate exceptions at the code level and not send these info to the client browser.
Do you have any recommendation to perform this action?

Thanks in advance
 #53081  by jllort
 
OpenKM CE comes with REST services and the old SOAP services ( I think in the near, middle future we will remove SOAP, because for us is a deprecated technology ). Anyway, because you wish to build a jar SOAP client it is a good idea do not to have these resources authenticated. If compare with API, for example, OpenKM/rest/* these are authenticated.

The reason is what I explained before, to facilitate the build of the SOAP client.

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.