Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/webjetcms/webjetcms/llms.txt

Use this file to discover all available pages before exploring further.

Security in WebJET CMS depends on correct configuration and proper access rights. The settings on this page must be applied before going into production and reviewed at least quarterly, and always before scheduled security tests.
Some settings below require an application server restart to take effect. Incorrect configuration — particularly around IP whitelisting and admin access — can lock you out of the administration.

Permission groups

WebJET CMS allows program files to be modified through the administration interface. Before running penetration tests or opening the system to editors, create dedicated permission groups and restrict who can hold sensitive rights.
This group can modify permissions for any user or group — including granting themselves or others full system access. A user with these rights can compromise the entire installation.Assign only the following rights to this group:
  • Administrators management — allows setting permissions for administration users
  • Rights groups — allows setting permissions on groups
Programmers sometimes need to apply hotfixes directly through WebJET CMS. A user with this group can upload malicious code capable of executing any operation on the server.Rights for this group:
  • Unlimited file uploads (extensions and sizes)
  • Configuration — view all variables
  • Text editing — view all texts
Also requires write permission on the file system for:
  • /apps — application code
  • /components — application code
  • /templates — design templates
If you deploy from a Git repository and do not need hotfixes via WebJET CMS, omit the above directories entirely and grant write access only to:
  • /images, /files, /shared — editor-uploaded media
  • /WEB-INF/tmp — temporary files
  • /WEB-INF/imgcache — generated image thumbnails
  • /WEB-INF/formfiles — files uploaded through website forms
No other user groups or individual users should hold the sensitive rights described above.

Blocked file paths

The configuration variable pathFilterBlockedPaths contains a comma-separated list of URL patterns that WebJET blocks. Any request whose URL contains one of these patterns returns an error. The default blocked patterns are: 
.DS_Store, debug., config.properties, Thumbs.db, .git, .svn
Add additional patterns as needed for your environment.

Admin access restriction

IP whitelisting

Restrict the /admin path to known IP addresses using adminEnabledIPs. Set it to a comma-separated list of allowed IPs: 
adminEnabledIPs=203.0.113.10,10.0.0.
To use a dedicated domain for the administration instead of a path restriction, set multidomainAdminHost=cms.yourdomain.example. Requests to /admin on all other domains will return a 404 error.

Two-factor authentication

Set isGoogleAuthRequiredForAdmin=true to require two-factor authentication for all administration logins. Each user must set up 2FA in advance under their account name → Two-step verification, or at /admin/2factorauth.jsp.
Require two-factor authentication at minimum for all accounts that can manage user accounts, permissions, or system configuration.

File upload restrictions

Restrict what editors can upload to limit the risk of malicious file uploads.
VariableDefaultRecommended
FCKConfig.UploadMaxSize[Default][image]0 (unlimited)10000 (10 MB)
FCKConfig.UploadMaxSize[Basic][image]2048 (2 MB)2048
FCKConfig.UploadMaxSize[Default][file]0 (unlimited)50000 (50 MB)
FCKConfig.UploadMaxSize[Basic][file]2048 (2 MB)2048
The [Basic] variants apply to users who do not have the Complete menu in the editor right.
VariableDefaultRecommended
FCKConfig.UploadFileTypes[Default][image]empty (no restriction)jpg,jpeg,png,gif,svg,mp3,mp4
FCKConfig.UploadFileTypes[Basic][image]jpg,jpeg,png,gif,mp4keep default
FCKConfig.UploadFileTypes[Default][file]empty (no restriction)pdf,docx,xlsx,pptx,ppsx,zip,rtf
FCKConfig.UploadFileTypes[Basic][file]doc,docx,xls,xlsx,pdf,zip,rtfkeep default
Consider whether to allow SVG uploads — see the note on SVG XSS below.
Set defaultDisableUpload=true to restrict all users to writing only in explicitly configured directories. Without any configured directories, no writes are permitted.Set fbrowserShowOnlyWritableFolders=true to hide directories that the user cannot write to (by default, unwritable directories are visible but not editable).

HTTP security headers

Configure HTTP response headers in Settings → Configuration. Headers marked with a recommended value should be set before going into production.
VariableDefaultDescription
xXssProtection1; mode=blockX-XSS-Protection header
xFrameOptionsSAMEORIGINX-Frame-Options — CSRF framing protection
xContentTypeOptionsnosniffX-Content-Type-Options — prevents MIME sniffing
strictTransportSecurityemptySet to max-age=31536000 ; includeSubDomains once your site is fully on HTTPS
refererPolicysame-originReferrer-Policy header
serverNameunknownServer response header value — keep this at unknown or a non-descriptive value
VariableDescription
contentSecurityPolicySets the Content-Security-Policy header. Empty by default (header not sent). For HTTPS sites, recommended value: default-src 'none'; script-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; worker-src https: blob:; child-src https: blob:; style-src https: data: 'unsafe-inline' 'unsafe-eval'; img-src https: data: 'unsafe-inline'; font-src https: data:; object-src blob: 'self'; base-uri 'none'; frame-ancestors 'self'; connect-src blob: 'self'; frame-src 'self'
contentSecurityPolicySvgSeparate CSP value for SVG images. WebJET sets this to default-src 'self' by default to prevent JavaScript execution in directly opened SVG files.
featurePolicyHeaderFeature-Policy / Permissions-Policy header (e.g. microphone 'none'; geolocation 'none'). Empty by default.
VariableDefaultDescription
accessControlAllowOriginValue{HTTP_PROTOCOL}://{SERVER_NAME}:{HTTP_PORT}Access-Control-Allow-Origin value
accessControlAllowOriginUrls/rest/,/private/rest/,/admin/rest/URL prefixes that receive the CORS header
accessControlAllowHeadersOrigin, Accept, ...Access-Control-Allow-Headers value
accessControlAllowMethodsHEAD,POST,GET,OPTIONS,PUTAccess-Control-Allow-Methods value
accessControlMaxAge1800Access-Control-Max-Age value
accessControlAllowedOriginsemptyIf set, requests must include an origin header matching this list
Macros available in values: {HTTP_PROTOCOL}, {SERVER_NAME}, {DOMAIN_NAME}, {DOMAIN_ALIAS}, {HTTP_PORT}, {INSTALL_NAME}, {HEADER_ORIGIN}.
VariableDefaultDescription
xRobotsTagValuenoindex, nofollowX-Robots-Tag header value
xRobotsTagUrls/components/,NOT_SEARCHABLE_PAGEURL prefixes that receive the X-Robots-Tag header. If NOT_SEARCHABLE_PAGE is in the list, the header is also applied to pages with search disabled.
For custom headers not covered by the variables above, use the HTTP headers application under Settings, or set the responseHeaders configuration variable with one entry per line in the format url-prefix:header-name:value: 
/admin:X-Accel-Buffering:no
/rest/calculators/:Access-Control-Allow-Origin:*

Password policies

VariableDefaultDescription
passwordAdminMinLength5Minimum password length
passwordAdminMinCountOfSpecialSigns0Minimum special characters
passwordAdminMinUpperCaseLetters1Minimum uppercase letters
passwordAdminMinLowerCaseLetters0Minimum lowercase letters
passwordAdminMinCountOfDigits1Minimum digits
passwordAdminExpiryDays0Days before password expires. 0 disables expiry.
VariableDefaultDescription
passwordHistoryEnabledtruePrevents reuse of previously used passwords
passwordHistoryLength6Number of previous passwords remembered
passwordHashAlgorithmbcryptHashing algorithm: bcrypt or sha-512. BCrypt is used from version 2022.40. Older hash values are migrated to BCrypt on next password change.
bcryptSaltRounds12BCrypt cost factor (log₂ of rounds)
VariableDefaultDescription
passwordResetValidityInMinutes30Time validity of the password reset link
changePasswordPageUrl/components/user/change_password.jspURL of the password change page
The same password rules apply to password-protected website sections, using variables without the Admin segment (for example, passwordMinUpperCaseLetters).

Login blocking

After repeated failed login attempts, WebJET blocks the IP address temporarily.
VariableDefaultDescription
logonBlockedDelay10Seconds of delay after any failed login
logonBlockedAfterUnsuccessCount5Number of failed attempts before the extended delay applies
logonLoginBlockedDelay60Seconds of extended delay after exceeding logonBlockedAfterUnsuccessCount
During a lockout period, failed attempt counters are not incremented and the lockout timer is not extended.

Single session login

Set sessionSingleLogon=true to allow only one active session per user at a time. When a user logs in again, their other active session is terminated — including on all nodes in a cluster. This also prevents credential sharing between multiple users.

LDAP authentication

WebJET supports authentication against an LDAP server. Configure it with the following variables:
VariableDescription
ldapProviderUrlLDAP server URL, e.g. ldap://ldap.local:389/DC=company,DC=com??base
ldapUsernameTechnical user login for reading LDAP data
ldapPasswordTechnical user password for reading LDAP data
ldapUseSslProtocolSet to true to use SSL on port 636
ldapDomainAppendDomain suffix appended to the login name if required
ldapSecurityPrincipalDnCustom SECURITY_PRINCIPAL string — !USERNAME! is replaced with the login name
ldapFilterLDAP filter for account lookup (default: (&(objectClass=Person) (&(sAMAccountName=!USERNAME!))))
basicNtlmLogonAttrsComma-separated list of LDAP attributes to read at login (leave empty to only verify the login without syncing user data)
After login, WebJET matches the user’s LDAP group membership (memberOf attribute) against WebJET group names. Matching groups are automatically assigned.
VariableDescription
NTLMAdminGroupNameLDAP group name that grants administration access
passwordProtectedAutoIdComma-separated user group IDs automatically assigned after login

Tomcat application server hardening

Set secure="true" on the Tomcat connector so the session cookie is only transmitted over HTTPS. Without this, the browser does not accept the cookie and sessions cannot be held. 
<Connector
    ...
    secure="true"
    useBodyEncodingForURI="true"
    ...
/>

Suppress Tomcat version disclosure

Prevent Tomcat from revealing its version in error responses by adding ErrorReportValve to the <Host> element in server.xml: 
<Host ...>
    <Valve className="org.apache.catalina.valves.ErrorReportValve"
        showReport="false"
        showServerInfo="false" />
</Host>

SameSite cookies

Set the SameSite attribute on cookies to mitigate CSRF attacks. In Tomcat, configure this via CookieProcessor in Context: 
<Context>
    <CookieProcessor sameSiteCookies="strict"/>
</Context>

Default host configuration

Set defaultHost in server.xml to a non-existent <Host> entry so the application server rejects requests for unknown domains rather than routing them to an unintended host: 
<Engine name="Catalina" defaultHost="localhost">
    <Host name="localhost" ...>
        <Alias>admin.domain.example</Alias>
    </Host>
</Engine>

Load balancer and WAF considerations

Load balancer

  • Route only known domains to application servers. Unknown domains should be rejected at the load balancer.
  • When serverBeyoundProxy=true, WebJET reads the visitor IP from the X-Forwarded-For header. Ensure the load balancer always sets this header — do not allow it to be passed from the internet. The same applies to x-forwarded-proto.

Web application firewall (WAF)

WebJET’s administration sends HTTP requests that may be flagged as XSS or SQL injection by a WAF (for example, saving a page with JavaScript in the HTML, or saving records in the Scripts application). Set WAF exceptions for:
  • /admin/rest/web-pages
  • /admin/rest/components/insert-script
  • /admin/v9/settings/translation-keys
  • /admin/rest/settings/configuration
  • /admin/searchall.jsp
  • /admin/replaceall.jsp
  • /admin/updatedb.jsp
The ideal architecture is a dedicated CMS administration node on a private network, inaccessible from the internet. The WAF can then be omitted for that node entirely.

Audit and change notifications

Set up email notifications for security-relevant configuration changes under Audit → Notification list. Recommended event types:
  • CONF_UPDATE / CONF_DELETE — configuration variable changes
  • PROP_UPDATE / PROP_DELETE — translation key changes (JavaScript code can be inserted via translation keys)
  • XSS — detected XSS attempts
  • SQLERROR — database errors
This ensures a security engineer is notified of changes that could indicate an attack.

Common penetration test findings

Finding: The web server type and version is revealed through error responses.Fix: Set the serverName configuration variable to unknown or a non-descriptive value. Verify the Server response header in your browser’s developer tools.
Finding: Arbitrary files including JSP can be uploaded, allowing command execution.Fix: Configure file upload rights via FCKConfig.Upload* variables, and consider disabling write access to program file directories entirely.
Finding: The Strict-Transport-Security header is absent.Fix: Set strictTransportSecurity=max-age=31536000 ; includeSubDomains in configuration.
Finding: SVG files can embed JavaScript that executes when opened directly.Fix: Restrict SVG upload permissions via FCKConfig.UploadFileTypes. WebJET also sets Content-Security-Policy: default-src 'self' on SVG file responses by default (configurable via contentSecurityPolicySvg).
Finding: Users with access to translation texts can insert JavaScript code.Fix: Limit access to the Text Translation application. Users without the Edit texts — view all texts right are restricted to keys listed in propertiesEnabledKeys, and their inputs are filtered to tags in propAllowedTags (default: p,div,a,sub,sup,br,strong) and attributes in propAllowedAttrs (default: href,src,style,class,rel). Set propAllowedTags=- to completely disallow HTML for these users. Also set up audit notifications for PROP_UPDATE.
Finding: Web page import accepts serialised Java objects in XML that could be tampered with.Fix: Do not grant normal users permission to modify configuration variables. The XMLDecoderAllowedClasses configuration variable controls allowed deserialisable types — dangerous types (java.lang.Runtime) are blocked by hardcoded logic regardless of configuration.

Responsible disclosure

If you discover a security vulnerability in WebJET CMS, please report it privately rather than through public channels.

Web form

Report via the responsible disclosure form on the Interway website.

GitHub

Use the GitHub “Report a vulnerability” feature on the WebJET CMS repository.
You can also send reports by email to zranitelnosti@interway.sk. Use PGP key 38F5F695642A7A1C73AF6C7E90DC0AF8975E50AD for encrypted communication. Include in your report:
  • Vulnerability type (e.g. SQL injection, XSS, authentication bypass)
  • File paths and source code location (tag/branch/commit or direct URL)
  • Steps to reproduce
  • Proof-of-concept or exploit code if available
  • Impact description and potential attack scenario
What to expect: Interway will confirm receipt, verify the issue, fix it as quickly as complexity allows, and notify you when the fix is released.
Security updates are provided for the latest stable release of WebJET CMS. Running the latest version is strongly recommended.