EPrints Technical Mailing List Archive

Message: #07753

Re: [EP-tech] CSRF Vulnerability in EPrints

To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>, Adam Field <adam@adamfield.net>
Subject: Re: [EP-tech] CSRF Vulnerability in EPrints
From: Christopher Gutteridge <totl@soton.ac.uk>
Date: Thu, 28 Mar 2019 10:58:48 +0000

It's not appropriate to discuss software vulnerabilities on a publicly archived thread. If a bug does exist, then it should be raised quietly so that people get told about it at the same time as an upgrade or patch to fix it.

On 28/03/2019 09:55, Adam Field via Eprints-tech wrote:

Hi

We’ve had a report from an independent security researcher (Jisc’s policy encourages reporting of issues) that EPrints suffers from a CSRF vulnerability. The fix for this would be to add tokens to forms so that EPrints can validate that a submitted form was one that it generated.

This is obviously a fairly complex problem to solve, with changes to multiple parts of EPrints, probably requiring a new field type, as well as the storing of tokens somewhere (perhaps a new dataset). Has anyone taken a look at this?

Thanks

--

Adam
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

-- 
Christopher Gutteridge <totl@soton.ac.uk> 
You should read our team blog at http://blog.soton.ac.uk/webteam/

Follow-Ups:
- Re: [EP-tech] CSRF Vulnerability in EPrints
  - From: Christopher Gutteridge <totl@soton.ac.uk>

References:
- [EP-tech] CSRF Vulnerability in EPrints
  - From: Adam Field <adam@adamfield.net>
- Re: [EP-tech] CSRF Vulnerability in EPrints
  - From: Christopher Gutteridge <totl@soton.ac.uk>

Prev by Date: [EP-tech] CSRF Vulnerability in EPrints
Next by Date: [EP-tech] calculated phrase ref
Previous by thread: [EP-tech] Sort view with creators_name and corp_creators
Index(es):
- Date
- Thread