====== Tomcat8 Security Update to prevent Open Redirect Exploit in Greenstone3 ======
Greenstone3 installations prior to 10 May 2023 allowed the document view action to be automatically forwarded to an external URL. As this allows for malicious users to try and gather information about other users, this feature has been disabled by default.
As it is not always convenient to update a current installation to the latest version of the software, the following details a series of changes you can make to your tomcat8 configuration files that achieve the same thing.
If you're working with a Greenstone 3 (GS3) installed through the GS3 binary installer:
#
cd /your/toplevel/GS3/installation/folder
source ./gs3-setup.sh
# gs3-setup.bat if you're on windows
cd resources/tomcat
wget --no-check-certificate https://trac.greenstone.org/export/37743/main/trunk/greenstone3/resources/tomcat/greenstone3.xml.svn
diff greenstone3.xml.svn greenstone3.xml.in
# Should show the addition of a single Rewrite Valve XML element, near the bottom of the file
cp greenstone3.xml.svn greenstone3.xml.in
cd ../../web/WEB-INF
ls
wget --no-check-certificate https://trac.greenstone.org/export/37743/main/trunk/greenstone3/web/WEB-INF/rewrite.config
cd ../../
# restart your Greenstone3
# (Option 1) basic install
ant restart
# (Option 2, but note actual service name may differ depending on installation)
sudo systemctl status greenstone3
sudo systemctl restart greenstone3
If you're working with a Greenstone 3 checked out from SVN, then do as follows:
#
cd $GSDL3SRCHOME
cd resources/tomcat
svn up greenstone3.xml.svn
diff greenstone3.xml.svn greenstone3.xml.in
# Should show the addition of a single Rewrite Valve XML element, near the bottom of the file
cp greenstone3.xml.svn greenstone3.xml.in
cd ../../web/WEB-INF
ls
svn up rewrite.config
cd ../../
# restart your Greenstone3
# (Option 1) basic install
ant restart
# (Option 2, but note actual service name may differ depending on installation)
sudo systemctl status greenstone3
sudo systemctl restart greenstone3