OPAC is vulnerable to Cross-site scripting attacks.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
High
|
Unassigned | ||
3.1 |
Fix Released
|
High
|
Unassigned | ||
3.2 |
Fix Released
|
High
|
Unassigned | ||
3.4 |
Fix Released
|
High
|
Unassigned |
Bug Description
We have received email from ABUSE team, for vulnerability of our OPAC
I tried it on PINES catalog with same output
https:/
Our EG version is 3.1.4
Od: "UT Information Security Office" <email address hidden>
Komu: <email address hidden>
Předmět: [cuni #8528] [ISOTicket:2181455] UT/ISO -- Verified Vulnerable
Web Page [195.113.63.102 - CUNI.CZ]
Datum: 01/04/2019 07:37:11
=======
The following alert is the product of the Dorkbot service
created by UT Austin: https:/
=======
The Information Security Office at the University of Texas at Austin
has found the following web page to be vulnerable to a high-risk application
attack:
HOST: 195.113.63.102 [mojzis.
DATE: 2019-03-31 22:17:09 CST/CDT
GET:
https:/
<https:/
ATTACK DETAILS:
This page is vulnerable to Cross-site scripting attacks.
Cross-site scripting attacks, in general, are an issue because
they are enabling attacks. Specially-crafted malicious URLs can
steal authentication tokens/cookies when a logged-in user visits them,
giving the attacker full access to that user's account in the application.
Reflected XSS attacks, in particular, are a concern as they can be used to
socially engineer a user into clicking on what appears to be a
legitimate URL.
** Please note that the Dorkbot service will re-check this page in the next
30-days to help verify remediation for you. **
Please also consider the following:
- Web application security testing should be performed regularly,
especially for any public web applications. This includes
tracking application inventory, general code review and vulnerability
assessments using web application security testing tools.
- All input received by the web server should be checked before
it is processed. The best method is to remove all unwanted input and
accept only expected input. For example, ensure angle brackets are
not allowed in any input to any Web page fields. Additionally, no
syntactic input should be allowed. Syntactic input can come from
databases, other servers, etc. All input into a Web application must
be filtered to ensure the delivery of clean content to individuals using
your service.
- Other References:
OWASP Guide to Building Secure Web Applications and Web Services
https:/
UT-Austin: Minimum Security Standards for Application Development and
Administration
https:/
Please let us know if you believe any of this information to be inaccurate
so that we can be of better service in the future.
We hope this information is helpful.
Information Security Office
The University of Texas at Austin
<email address hidden> | 512.475.9242
http://
=======
https:/
https:/
=======
Changed in evergreen: | |
milestone: | none → 3.3.2 |
Changed in evergreen: | |
milestone: | 3.3.2 → 3.3.3 |
Changed in evergreen: | |
milestone: | 3.3.3 → 3.3.4 |
Changed in evergreen: | |
status: | Confirmed → Fix Committed |
information type: | Private Security → Public Security |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
Confirmed on 3.1.7, and it looks like the user input is not sanitized in master. Fix forthcoming.