EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09855

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

RE: [EP-tech] Eprints - function-level access control (FLAC)

CAUTION: This e-mail originated outside the University of Southampton.

Hi,

 

Assuming these two URLs are sequential in their processing…

I’m guessing their automated crawl scripts came across a link for new deposit, which then ‘performed an action’ to check user permissions, which failed to find a logged in user, and then prompted the login screen.

This processing action has then been flagged as ‘allows a low-privileged or unprivileged user to access restricted functionality’ since their script didn’t get receive the appropriate error code they were expecting.

 

I would be checking logs to see if this is the case, or if they were two unrelated calls… Also check the referrer as well to find where the link came from, as all ePrint systems I have worked with, the deposit new item links etc, were only visible to auth’d users.

 

Cheers,

 

Matt.

 

 

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of James Kerwin
Sent: Thursday, October 24, 2024 6:21 AM
To: eprints-tech@ecs.soton.ac.uk
Subject: [EP-tech] Eprints - function-level access control (FLAC)

 

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Hi,

 

I'm having an incredibly busy time and our IT department are creating new and interesting hurdles for me.

 

Hopefully someone can decipher what they mean, help me correct it if a problem or help me explain to them why it isn't a problem.

 

They sent the following:

The remote web application fails to apply function-level access control, which allows a low-privileged or unprivileged user to access restricted functionality in the application. Can you please take a look at the below list and apply changes?

 

so Authorization can be checked for all privileged functions in the application

 

The following URLs are unrestricted :

 

/cgi/users/homescreen=NewDeposit

 

/cgi/users/login?target=http%3A%2F%2Fdatacat.liverpool.ac.uk%2Fcgi%2Fusers

 

Unfortunately their technical knowledge begins and ends at reading the results of a security scan, so they're infrequently able to offer any useful actionable advice. So far as I'm aware, these are just the URLs used to create a new deposit and log in to EPrints. We used LDAP(s) login (as discussed recently).

Can anybody confirm if this is something I need to worry about? If so, what should I be looking at? If not, how do I persuade them it's nothing to worry about?

Thanks,

James

 

__________________________________________________________________
This email (including any attached files) is confidential and is 
for the intended recipient(s) only. If you received this email by 
mistake, please, as a courtesy, tell the sender, then delete this 
email.
The views and opinions are the originator's and do not necessarily 
reflect those of the University of Southern Queensland. Although 
all reasonable precautions were taken to ensure that this email 
contained no viruses at the time it was sent we accept no 
liability for any losses arising from its receipt.
The University of Southern Queensland is a registered provider 
of education with the Australian Government.
(CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)