EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #07062
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- To: eprints-tech@ecs.soton.ac.uk
- Subject: Re: [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- From: David R Newman <drn@ecs.soton.ac.uk>
- Date: Thu, 04 Jan 2018 10:18:34 +0000
Hi Shivaram, So this will address a number of the issues but based on your list I cannot say definitively which ones as you may have bespoke features that allow this vulnerability to continue to be present. I can see you have HTTPS enabled, I would ensuring you are using Apache configuration shown at [1] as this will ensure no weak SSL protocols or ciphers are used. On top of this to guarantee that the vast majority of these vulnerabilities cannot be exploited in any way, I would consider using site-wide HTTPS. There are instructions for how to do this at [2]. I would also avoid having account creation enabled if you can. If you can use institutional login such as Active Directory / LDAP [3] or Shibboleth [4], this will save needing a feature which could be exploited. Equally, this would allow you to disable password reseting as the passwords for these users would be managed elsewhere. Some of the other issue will require changes outside the scope of EPrints itself. To prevent brute force attacks you may want to try using something like Fail2Ban [5]. With the autocomplete and remember password issue. This first can turned off by setting autocomplete="off". There is a phrase you can edit (cgi/login:page_layout) to set this. Disabling remember password seems a little more tricky. It should be possible to do something with Javascript to essentially fool the browser into not asking you whether you want to remember the password. However, if the user wants to do this really it is on them to make this (potentially bad) choice. Regards David Newman [1] https://wiki.eprints.org/w/How_to_use_EPrints_with_HTTPS [2] https://wiki.eprints.org/w/HTTPS-only_and_HSTS [3] https://wiki.eprints.org/w/LDAP [4] https://wiki.eprints.org/w/Shibboleth [5] https://www.fail2ban.org/wiki/index.php/Main_Page On Thu, 2018-01-04 at 14:40 +0530, Shivaram Gowda wrote: > Hello > > My repository (http://nal-ir.nal.res.in)was running on Eprints > 3.0.X, > recently I had server side audit for my repository as per management > decision by third party. Auditors have pointed out following security > risk vulnerabilities of Eprints software > > 1. Insufficient Transport Layer Protection: through which could > sniff the username and password or other sensitive data and easily > > 2. Stored Cross Site Scripting: attack may lead to URL > redirection, session hijacking and information disclosures > > 3. Cross Site Request Forgery: attacker could leverage this > attack > to hijack the victims account and perform malicious actions without > users knowledge > > 4. Account Compromise using Password Reset : attacker can modify > the password of the legitimate user and can completely take control > of > the victim account which can result in a complete account compromise > > 5. Session Fixation: Attacker can fix victims session ID in > victim's browser and when victim logs in his/her account, attacker > can > impersonate victim and can directly access authenticated pages > > 6. Unvalidated Redirect: Using Unvalidated redirects, Attacker > may > attempt to install malware or trick victims into disclosing passwords > or other sensitive information. Unsafe forwards may allowances > control > bypass > > 7. Malicious File Upload: This vulnerability can result in Loss > of > Sensitive information. It allows an attacker toupload malicious files > into the server which could lead to cross site scripting > > 8. Weak Password Policy Implementation: attacker can guess the > weak passwords and can compromise user accounts \ > > 9. Brute Force Attack in Login Page: An attacker can run brute > force attack against the User Login page. If such attacks are not > handled properly by the application, this can even lead to Denial of > Service (DoS) for the application > > 10. Click jacking Vulnerability: Click jacking attack or UI redress > attack could potentially send unauthorized commands or reveal > confidential information while the victim is interacting with > seemingly harmless web pages. > > 11. Cookie Attributes Missing : An attacker can use this information > to get cookie by cross site scripting (XSS) which could lead to > session hijacking > > 12. Autocomplete and Remember Password Field Enabled : An attacker > could login to the application under a scenario where the attacker > has > physical access to the system of a valid user who has used the > “Remember Password” feature. This insecurity presents a low risk to > the business, as an attacker is able to log into the application > using > valid credentials stolen from a victim user’s browser > > After this audit, I upgraded my repository to Eprints 3.3.15 on > Ubuntu > latest version, configured HTTPS as per audit recommendations. I want > to know to what extent the upgraded version will solve above audit > observation and if not, kindly help us to fix these issues. > > > > With warm regards > > Shivaram BS > >
- References:
- [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- From: Shivaram Gowda <shivaramgowda@gmail.com>
- [EP-tech] Need help to fix security risk vulnerabilities of Eprints software
- Prev by Date: Re: [EP-tech] Archive under attack, security issue
- Next by Date: Re: [EP-tech] Refresh Abstracts removing Boxes from Summary Page
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):