Vulnerable clientaccesspolicy.xml file: How do I properly configure?

Manuel Flores-Bonilla 6 Reputation points

Hi All,

A scan was recently done on our app server and it showed the vulnerability below (bug described here= )

Cross-domain and Client Access policies.
A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. use to access data across different domains. A client access policy file is similar to cross-domain policy but is used for Silverlight applications. Overly permissive configurations enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.

http-cross-domain-policy vulnerability source code from web app:

     <?xml version="1.0" encoding="utf-8" ?> 
           <allow-from http-request-headers="*">        
             <domain uri=""/>        
             <domain uri="" />                
             <resource path="/" include-subpaths="true"/> 
           <allow-from http-request-headers="*">
             <domain uri="*" />
             <resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" /> 

Extra information:

Trusted,, *

I'm a system admin so this web development is a bit over my head but I'm taking up the challenge to plug this hole.

What I'm reading is that the clientaccesspolicy.xml file needs to be updated from:

<domain uri="*" /> to explicitly specify a domain and/or domain(s).

So far, I've saved the web page that is the clientaccesspolicy.xml and saved it as a html file and opened in Visual Studio Code for editing. I'm stuck here, however. I'm not confident in changing the values nor how to save the file or even access web folders etc.

May someone provide me with instructions with the following:

  • how to find the xml file that will implement the changes in the environment
  • How to save the file in appropriate directory
  • how to access a web folder (I've never done web development)
  • what tools do I need to conduct this task? I have visual studio and fiddler installed so far
  • what's the right syntax for the file? what values do I change for optimal security?
  • anything else that recommended for best practice

Thanks in advance. I was given this assignment recently and only given 2 days to figure this out so I'm very grateful for any help.

Internet Information Services
{count} vote