EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #07058
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
[EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- To: <eprints-tech@ecs.soton.ac.uk>
- Subject: [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- From: Shivaram Gowda <shivaramgowda@gmail.com>
- Date: Thu, 4 Jan 2018 14:40:04 +0530
Hello My repository (http://nal-ir.nal.res.in) was running on Eprints 3.0.X, recently I had server side audit for my repository as per management decision by third party. Auditors have pointed out following security risk vulnerabilities of Eprints software 1. Insufficient Transport Layer Protection: through which could sniff the username and password or other sensitive data and easily 2. Stored Cross Site Scripting: attack may lead to URL redirection, session hijacking and information disclosures 3. Cross Site Request Forgery: attacker could leverage this attack to hijack the victims account and perform malicious actions without users knowledge 4. Account Compromise using Password Reset : attacker can modify the password of the legitimate user and can completely take control of the victim account which can result in a complete account compromise 5. Session Fixation: Attacker can fix victims session ID in victim's browser and when victim logs in his/her account, attacker can impersonate victim and can directly access authenticated pages 6. Unvalidated Redirect: Using Unvalidated redirects, Attacker may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allowances control bypass 7. Malicious File Upload: This vulnerability can result in Loss of Sensitive information. It allows an attacker toupload malicious files into the server which could lead to cross site scripting 8. Weak Password Policy Implementation: attacker can guess the weak passwords and can compromise user accounts \ 9. Brute Force Attack in Login Page: An attacker can run brute force attack against the User Login page. If such attacks are not handled properly by the application, this can even lead to Denial of Service (DoS) for the application 10. Click jacking Vulnerability: Click jacking attack or UI redress attack could potentially send unauthorized commands or reveal confidential information while the victim is interacting with seemingly harmless web pages. 11. Cookie Attributes Missing : An attacker can use this information to get cookie by cross site scripting (XSS) which could lead to session hijacking 12. Autocomplete and Remember Password Field Enabled : An attacker could login to the application under a scenario where the attacker has physical access to the system of a valid user who has used the “Remember Password” feature. This insecurity presents a low risk to the business, as an attacker is able to log into the application using valid credentials stolen from a victim user’s browser After this audit, I upgraded my repository to Eprints 3.3.15 on Ubuntu latest version, configured HTTPS as per audit recommendations. I want to know to what extent the upgraded version will solve above audit observation and if not, kindly help us to fix these issues. With warm regards Shivaram BS -- Shivaram BS ICAST, CSIR-NAL Govt. of India (Autonomous) HAL Airport Road Kodihalli, Bangalore-560017
- Follow-Ups:
- [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- From: Shivaram Gowda <shivaramgowda@gmail.com>
- [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- References:
- [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- From: Shivaram Gowda <shivaramgowda@gmail.com>
- [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- Prev by Date: Re: [EP-tech] Refresh Abstracts removing Boxes from Summary Page
- Next by Date: Re: [EP-tech] Refresh Abstracts removing Boxes from Summary Page
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):