none
Skype for Business and Insecure ClientAccessPolicy.XML

    Question

  • Has anybody tried to modify the "Clientaccesspolicy.aspx" under Web Components\Join Launcher?

    I hit to this question when pen testers are validating the Skype platform. The problem they are saying is the AutoDiscover section:

        <policy>
          <allow-from http-request-headers="*">
            <domain uri="*" />
          </allow-from>
          <grant-to>
            <resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" />
          </grant-to>
        </policy>

    as there are no restrictions like on the previous section have. My idea was take a copy from previous section and past these lines to the AutoDiscover:

          <allow-from http-request-headers="*">       
            <domain uri="<% =InternalWebUrl %>" />       
            <domain uri="<% =ExternalWebUrl %>" />               
          </allow-from>


    Petri

    Tuesday, November 14, 2017 12:25 AM