EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #07062


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Need help to fix security risk vulnerabilities of Eprints software


Hi Shivaram,

So this will address a number of the issues but based on your list I
cannot say definitively which ones as you may have bespoke features
that allow this vulnerability to continue to be present.

I can see you have HTTPS enabled, I would ensuring you are using Apache
configuration shown at [1] as this will ensure no weak SSL protocols or
ciphers are used.  On top of this to guarantee that the vast majority
of these vulnerabilities cannot be exploited in any way, I would
consider using site-wide HTTPS.  There are instructions for how to do
this at [2].

I would also avoid having account creation enabled if you can.  If you
can use institutional login such as Active Directory / LDAP [3] or
Shibboleth [4], this will save needing a feature which could be
exploited.  Equally, this would allow you to disable password reseting
as the passwords for these users would be managed elsewhere.

Some of the other issue will require changes outside the scope of
EPrints itself.  To prevent brute force attacks you may want to try
using something like Fail2Ban [5].  With the autocomplete and remember
password issue.  This first can turned off by setting
autocomplete="off".  There is a phrase you can edit
(cgi/login:page_layout) to set this.  Disabling remember password seems
a little more tricky.  It should be possible to do something with
Javascript to essentially fool the browser into not asking you whether
you want to remember the password.  However, if the user wants to do
this really it is on them to make this (potentially bad) choice.

Regards

David Newman


[1] https://wiki.eprints.org/w/How_to_use_EPrints_with_HTTPS
[2] https://wiki.eprints.org/w/HTTPS-only_and_HSTS
[3] https://wiki.eprints.org/w/LDAP
[4] https://wiki.eprints.org/w/Shibboleth
[5] https://www.fail2ban.org/wiki/index.php/Main_Page

On Thu, 2018-01-04 at 14:40 +0530, Shivaram Gowda wrote:
> Hello
> 
> My repository (http://nal-ir.nal.res.in)was running on Eprints
> 3.0.X,
> recently I had server side audit for my repository as per management
> decision by third party. Auditors have pointed out following security
> risk vulnerabilities of Eprints software
> 
> 1.     Insufficient Transport Layer Protection: through which could
> sniff the username and password or other sensitive data and easily
> 
> 2.     Stored Cross Site Scripting: attack may lead to URL
> redirection, session hijacking and information disclosures
> 
> 3.     Cross Site Request Forgery: attacker could leverage this
> attack
> to hijack the victims account and perform malicious actions without
> users knowledge
> 
> 4.     Account Compromise using Password Reset : attacker can modify
> the password of the legitimate user and can completely take control
> of
> the victim account which can result in a complete account compromise
> 
> 5.     Session Fixation: Attacker can fix victims session ID in
> victim's browser and when victim logs in his/her account, attacker
> can
> impersonate victim and can directly access authenticated pages
> 
> 6.     Unvalidated Redirect: Using Unvalidated redirects, Attacker
> may
> attempt to install malware or trick victims into disclosing passwords
> or other sensitive information. Unsafe forwards may allowances
> control
> bypass
> 
> 7.     Malicious File Upload: This vulnerability can result in Loss
> of
> Sensitive information. It allows an attacker toupload malicious files
> into the server which could lead to cross site scripting
> 
> 8.     Weak Password Policy Implementation: attacker can guess the
> weak passwords and can compromise user accounts \
> 
> 9.     Brute Force Attack in Login Page: An attacker can run brute
> force attack against the User Login page. If such attacks are not
> handled properly by the application, this can even lead to Denial of
> Service (DoS) for the application
> 
> 10.  Click jacking Vulnerability: Click jacking attack or UI redress
> attack could potentially send unauthorized commands or reveal
> confidential information while the victim is interacting with
> seemingly harmless web pages.
> 
> 11.  Cookie Attributes Missing : An attacker can use this information
> to get cookie by cross site scripting (XSS) which could lead to
> session hijacking
> 
> 12.  Autocomplete and Remember Password Field Enabled : An attacker
> could login to the application under a scenario where the attacker
> has
> physical access to the system of a valid user who has used the
> “Remember Password” feature. This insecurity presents a low risk to
> the business, as an attacker is able to log into the application
> using
> valid credentials stolen from a victim user’s browser
> 
> After this audit, I upgraded my repository to Eprints 3.3.15 on
> Ubuntu
> latest version, configured HTTPS as per audit recommendations. I want
> to know to what extent the upgraded version will solve above audit
> observation and if not, kindly help us to fix these issues.
> 
> 
> 
> With warm regards
> 
> Shivaram BS
> 
>