Usage Note 68162: Preventing Cross-Site Request Forgery (CSRF) attacks for SAS® Comments Manager and other shared applications
 |  |  |  |  |
This note contains special instructions for SAS Comment Manager regarding Cross-Site Request Forgery (CSRF) token checking.
CSRF is a type of attack on web applications whereby a malicious actor causes information to be submitted to a vulnerable application on behalf of a user. This issue typically occurs when you log on to a vulnerable application. Then, you are deceived into clicking a link or submitting a form from a malicious actor that causes information to be sent to the vulnerable application. The information appears to come as a valid request from the end user.
See the OWASP Cross Site Request Forgery (CSRF) page for more information about how CSRF attacks work.
You can configure SAS Comments Manager to prevent this type of attack by enforcing synchronizer token checking in SAS® Management Console.
To enable CSRF token checking:
- Log on to SAS Management Console.
- On the Plug-ins tab, select Application Management ► Configuration Manager ► SAS Application Infrastructure.
- Right-click Shared Applications 9.4 and select Properties.
- Click the Advanced tab.
- Add the following properties.
- sas.web.csrf.token.performCheck=true
- sas.web.csrf.token.allowedMethods=GET,HEAD,TRACE,OPTIONS
- Click OK to close the SAS Application Infrastructure Properties window.
- Stop the middle tier, using the method that is appropriate for your operating system:
- Microsoft Windows operating environments:
Using the Services Snap-in, right-click on each of the SAS services in the list (in the order in which they are listed), and click Stop:
- SAS Environment Manager agent
- SAS Environment Manager
- SAS Web Application Server: SASServer2_1
- SAS Web Application Server: SASServer12_1
- SAS Web Application Server: SASServer1_1
- SAS Web Server
- SAS Cache Locator Service: ins_41415
- SAS JMS Broker
Note: The list of services that you see, and need to stop, depends on which managed web application servers are installed in your environment.
- UNIX operating environments:
Run SAS-configuration-directory/sas.servers stop.
- Microsoft Windows operating environments:
- Start the middle tier using the method that is appropriate for your operating system:
- Windows operating environments:
Using the Services Snap-in, right-click on each of the SAS services in the list (In the order in which they are listed), and click Start:
- SAS Environment Manager Agent
- SAS Environment Manager
- SAS Web App Server: SASServer2_1
- SAS Web App Server: SASServer12_1
- SAS Web App Server: SASServer1_1
- SAS Web Server
- SAS Cache Locator Service: ins_41415
- SAS JMS Broker
Note: The list of services that you see, and need to stop, depends on which managed web application servers are installed in your environment.
- UNIX:
Run SAS-configuration-directory/sas.servers start.
- Windows operating environments:
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Infrastructure Platform | Microsoft® Windows® for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
| 64-bit Enabled AIX | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| 64-bit Enabled Solaris | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| HP-UX IPF | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| Linux for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||
| Solaris for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 | ||