Enabling Secure Cookies in the Web Application
Enable secure cookies to stop cookies from being sent over HTTP. This is not enabled by default as it makes the application unusable over HTTP. Before enabling ensure an upgrade from HTTP to HTTPS is enabled as the app will no longer function over HTTP. Add the following property into the 3 appsettings.json files at […]
CVE-2024-6203 – Password Reset Poisoning
General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.61 and all 2.144 and 2.145 versions. Users with access to the password forgotten functionality can issue a password reset request, to the victims email address, and by manipulating the request in a specific way […]
CVE-2024-6202 – SAML XML Signature Wrapping (XSW)
General Information This article contains frequently asked questions relating to the XML signature wrapping vulnerability affecting Halo versions up to 2.143.8. SAML XML signature wrapping is an attack method where an attacker modifies the signed SAML message without invalidating the signature. This can lead to the attacker impersonating another user. Are hosted Halo instances affected? […]
CORS Policy on Halo API
By default, the CORS policy on all Halo web apps is a wildcard that allows all. To enable a stricter CORS policy to block requests from other origins, follow the below. In appsettings.json in the API and Auth Server add "UseCorsPolicy": true. Also, add "CorsWhiteList" as an array of strings. Enter the hostname of each […]
CVE-2023-4863
The issue is resolved as of version 2.170.1 see Update 31/10/2024 for more information General Information This article contains frequently asked questions relating to the heap buffer overflow vulnerability affecting libwebp. On September 11, 2023, Google published a stable channel update to address the vulnerability with weblibp and assigned CVE-2023-4863 to track this vulnerability. libwebp […]
Rolling back versions v2.45 and above to versions below v2.45
A change has been made to NHD_Roleclaims and NHD_Userclaims where the asset claims have values upto 3 rather than 2. This means when rolling back any claims relating to assets that have value of 3 in either of these tables need to be dropped down to 2. Run the following 2 queries: Update NHD_roleclaims set […]
How are user passwords stored?
This article discusses the method used when users are stored in Halo. When users are stored in the Halo database their passwords are stored hashed. Halo uses the Pbkdf2 key derivation function with a suitably high iteration count, to hash the password for storage in the database. Each password has its own salt applied prior […]
Enable HTTP strict transport security (HSTS)
This ensures all traffic to the Halo site can only use a secure HTTPS connection. HTTPS must already be configured for the web application. Currently, these steps are required after any upgrade. If HTTPS/SSL is not configured, and HSTS is enabled, the application will not work. Open web.config in the root of your Halo web […]
IP Addresses for Whitelisting
For hosted Halo users your traffic passes through the below IP addresses. This is for API requests as well as SMTP/IMAP/POP connections. UK Addresses to whitelist; 18.134.104.113 18.134.36.210 18.133.135.248 DNS listing for IPs; (add this to sending domain SPF record) d3ukmail.nethelpdesk.com USA/Americas Addresses to whitelist: 52.200.167.248 3.225.188.37 50.19.232.234 DNS listing for IPs; (add this to […]
Setting up Two Factor Authentication
Two-factor Authentication; how to use and implement it. Agents in Halo can use 2FA (Two Factor Authentication) to secure their account for any reason seen fit. This could be for data protection, security whilst out and about using Halo on mobile or a laptop, or if you have staff using Halo in a public facing […]
