EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #07058


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Need help to fix security risk vulnerabilities of Eprints software


Hello

My repository (http://nal-ir.nal.res.in) was running on Eprints 3.0.X,
recently I had server side audit for my repository as per management
decision by third party. Auditors have pointed out following security
risk vulnerabilities of Eprints software

1.     Insufficient Transport Layer Protection: through which could
sniff the username and password or other sensitive data and easily

2.     Stored Cross Site Scripting: attack may lead to URL
redirection, session hijacking and information disclosures

3.     Cross Site Request Forgery: attacker could leverage this attack
to hijack the victims account and perform malicious actions without
users knowledge

4.     Account Compromise using Password Reset : attacker can modify
the password of the legitimate user and can completely take control of
the victim account which can result in a complete account compromise

5.     Session Fixation: Attacker can fix victims session ID in
victim's browser and when victim logs in his/her account, attacker can
impersonate victim and can directly access authenticated pages

6.     Unvalidated Redirect: Using Unvalidated redirects, Attacker may
attempt to install malware or trick victims into disclosing passwords
or other sensitive information. Unsafe forwards may allowances control
bypass

7.     Malicious File Upload: This vulnerability can result in Loss of
Sensitive information. It allows an attacker toupload malicious files
into the server which could lead to cross site scripting

8.     Weak Password Policy Implementation: attacker can guess the
weak passwords and can compromise user accounts \

9.     Brute Force Attack in Login Page: An attacker can run brute
force attack against the User Login page. If such attacks are not
handled properly by the application, this can even lead to Denial of
Service (DoS) for the application

10.  Click jacking Vulnerability: Click jacking attack or UI redress
attack could potentially send unauthorized commands or reveal
confidential information while the victim is interacting with
seemingly harmless web pages.

11.  Cookie Attributes Missing : An attacker can use this information
to get cookie by cross site scripting (XSS) which could lead to
session hijacking

12.  Autocomplete and Remember Password Field Enabled : An attacker
could login to the application under a scenario where the attacker has
physical access to the system of a valid user who has used the
“Remember Password” feature. This insecurity presents a low risk to
the business, as an attacker is able to log into the application using
valid credentials stolen from a victim user’s browser

After this audit, I upgraded my repository to Eprints 3.3.15 on Ubuntu
latest version, configured HTTPS as per audit recommendations. I want
to know to what extent the upgraded version will solve above audit
observation and if not, kindly help us to fix these issues.



With warm regards

Shivaram BS


-- 
Shivaram BS
ICAST, CSIR-NAL
Govt. of India (Autonomous)
HAL Airport Road
Kodihalli, Bangalore-560017