[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] CSRF Vulnerability in EPrints



??????????????? We?ve had a report from an independent security researcher (Jisc?s policy encourages reporting of issues) that EPrints suffers from a CSRF vulnerability.? The fix for this would be to add tokens to forms so that EPrints can validate that a submitted form was one that it generated.


??????????????? This is obviously a fairly complex problem to solve, with changes to multiple parts of EPrints, probably requiring a new field type, as well as the storing of tokens somewhere (perhaps a new dataset).? Has anyone taken a look at this?






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20190328/accd3b37/attachment.html