EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #07752


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] CSRF Vulnerability in EPrints


Hi

 

                We’ve had a report from an independent security researcher (Jisc’s policy encourages reporting of issues) that EPrints suffers from a CSRF vulnerability.  The fix for this would be to add tokens to forms so that EPrints can validate that a submitted form was one that it generated.

 

                This is obviously a fairly complex problem to solve, with changes to multiple parts of EPrints, probably requiring a new field type, as well as the storing of tokens somewhere (perhaps a new dataset).  Has anyone taken a look at this?

 

Thanks

 

--

Adam