EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09852

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Eprints - function-level access control (FLAC)

CAUTION: This e-mail originated outside the University of Southampton.
Hi,

I'm having an incredibly busy time and our IT department are creating new and interesting hurdles for me.

Hopefully someone can decipher what they mean, help me correct it if a problem or help me explain to them why it isn't a problem.

They sent the following:

The remote web application fails to apply function-level access control, which allows a low-privileged or unprivileged user to access restricted functionality in the application. Can you please take a look at the below list and apply changes?

so Authorization can be checked for all privileged functions in the application

The following URLs are unrestricted :

/cgi/users/homescreen=NewDeposit

/cgi/users/login?target=http%3A%2F%2Fdatacat.liverpool.ac.uk%2Fcgi%2Fusers

Unfortunately their technical knowledge begins and ends at reading the results of a security scan, so they're infrequently able to offer any useful actionable advice. So far as I'm aware, these are just the URLs used to create a new deposit and log in to EPrints. We used LDAP(s) login (as discussed recently).

Can anybody confirm if this is something I need to worry about? If so, what should I be looking at? If not, how do I persuade them it's nothing to worry about?

Thanks,
James