search

uclibs / ucrate

Scholar@UC: University of Cincinnati's self-submission institutional repository
https://scholar.uc.edu
Other
5 stars 3 forks source link

Fix /capabilitylist security vulnerability #920

Closed scherztc closed 2 years ago

scherztc commented 3 years ago

Session Fixation(Medium)
Site: https://scholar-qa.uc.edu:443 URL: https://scholar-qa.uc.edu/capabilitylist Root Cause 46: (1 Attack Variance) (Medium)Attack

TypeOriginal ValueAttack ValueErrorDescriptionErrorServer accepts fixedSession ID in acookieSG9GZWJSdndDTXlpMzNjd3haSi9QMWRVMTd1UnJVa3lyMmZGZFNOUGgvdGQyRGFaYXA0MGRCWjg3VGZJRnRUdGFCYkdlVmJOQXR4bFZTZGVtRTBoT1N5UmMwclRmb3d3dUxrYjM1NDJtMTdZVHhCamlHMmQ3eExmUElQQUJwSUxIRVYrQkJ1Sm5VM3YyWHgybUUvTDlnTXpoN01qQXNseG1xK3VseG82MnI5ZWZqSHNWd2p5VVNocTNsZHBxTW8utma=;utmb=;utmc=;utmt=;__utmz=;_scholar_uc_session=x7w4hkct;hydraq=;login_type=;timezone=

Server failedto issuenewsessioncookie.

This was reported by AppSpider software used by infosec.

scherztc commented 3 years ago

Possible solutions include removing the ResourceSync route https://scholar-qa.uc.edu/capabilitylist from out application.

scherztc commented 3 years ago

https://github.com/samvera/hyrax/blame/f838c35d7d38cbebb4a11cb1cdc895adfd6fb79f/config/routes.rb#L17

scherztc commented 3 years ago

Scholar Security Scan 2021.04.09.pdf

scherztc commented 3 years ago
https://scholar-dev.uc.edu/resourcelist https://scholar-dev.uc.edu/changelist
scherztc commented 3 years ago

https://stackoverflow.com/questions/19524728/protect-from-forgery-with-exception-where https://blog.nvisium.com/understanding-protectfromforgery