EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #07752
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
[EP-tech] CSRF Vulnerability in EPrints
- To: <eprints-tech@ecs.soton.ac.uk>
- Subject: [EP-tech] CSRF Vulnerability in EPrints
- From: Adam Field <adam@adamfield.net>
- Date: Thu, 28 Mar 2019 09:55:55 +0000
Hi We’ve had a report from an independent security researcher (Jisc’s policy encourages reporting of issues) that EPrints suffers from a CSRF vulnerability. The fix for this would be to add tokens to forms so that EPrints can validate that a submitted form was one that it generated. This is obviously a fairly complex problem to solve, with changes to multiple parts of EPrints, probably requiring a new field type, as well as the storing of tokens somewhere (perhaps a new dataset). Has anyone taken a look at this? Thanks -- Adam |
- Follow-Ups:
- [EP-tech] CSRF Vulnerability in EPrints
- From: Adam Field <adam@adamfield.net>
- [EP-tech] CSRF Vulnerability in EPrints
- References:
- [EP-tech] CSRF Vulnerability in EPrints
- From: Adam Field <adam@adamfield.net>
- [EP-tech] CSRF Vulnerability in EPrints
- Prev by Date: Re: [EP-tech] please close the Bazaar
- Next by Date: Re: [EP-tech] CSRF Vulnerability in EPrints
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):