[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] EPrints Security Announcement - February 2020



I would definitely use mathjax over the cgi route.


Our server has the js added to? cfg/lang/en/templates/default.xml

<script type="text/x-mathjax-config">
MathJax.Hub.Config({tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']]}});
</script>
<script type="text/javascript" async="async"
src="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fmathjax%2F2.7.1%2FMathJax.js%3Fconfig%3DTeX-MML-AM_CHTML&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=MPPzshm9xkLtt2%2B8B4WWjtqmWppkby5Zf3T%2B1G6tC0c%3D&amp;reserved=0";>
</script> And nothing else. Maybe that's enough to get it to work?


On 24/02/2021 14:35, John Salter via Eprints-tech wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> I was wondering if anyone had integrated any javascript libraries 
> (e.g. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mathjax.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=sKHhm5uOEQvcorDjJMvb8wLDE1E0ef8YyxtpGqx4Nhk%3D&amp;reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mathjax.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=sKHhm5uOEQvcorDjJMvb8wLDE1E0ef8YyxtpGqx4Nhk%3D&amp;reserved=0>)?to 
> achieve something similar to this?
>
> Cheers,
> John
> ------------------------------------------------------------------------
> *From:* eprints-tech-bounces at ecs.soton.ac.uk 
> <eprints-tech-bounces at ecs.soton.ac.uk> on behalf of Alan.Stiles via 
> Eprints-tech <eprints-tech at ecs.soton.ac.uk>
> *Sent:* 24 February 2021 14:03
> *To:* eprints-tech at ecs.soton.ac.uk <eprints-tech at ecs.soton.ac.uk>
> *Subject:* Re: [EP-tech] EPrints Security Announcement - February 2020
> *CAUTION:* This e-mail originated outside the University of Southampton.
>
> The patch does leave latex2png empty.
>
> We still use this to include e.g. mathematical symbology in item 
> abstracts so we have added some sanitisation to the input parameter in 
> that cgi script rather than removing the function completely (3.3.15 
> or 16 here).
>
> Alan
>
> *From: *<eprints-tech-bounces at ecs.soton.ac.uk> on behalf of 
> "eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>
> *Reply to: *"eprints-tech at ecs.soton.ac.uk" 
> <eprints-tech at ecs.soton.ac.uk>, James Kerwin <jkerwin2101 at gmail.com>
> *Date: *Wednesday, 24 February 2021 at 13:41
> *To: *"eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>, 
> David R Newman <drn at ecs.soton.ac.uk>
> *Subject: *Re: [EP-tech] EPrints Security Announcement - February 2020
>
> CAUTION: This mail comes from outside the University. Please consider 
> this before opening attachments, clicking links, or acting on the 
> content.
>
> *CAUTION:*This e-mail originated outside the University of Southampton.
>
> Hi David,
>
> Thank you very much for bringing this to our attention and providing 
> the solutions.
>
> Shamefully, we are still on 3.3.14 (I promise we are upgrading this 
> year). The patch mentioned works on 3.3.16 and the page says it might 
> work on earlier versions (a brief look through two of the files 
> suggests they're more or less the same as those for 3.3.16)
>
> In my attempt to avoid any problems that could result from "might" are 
> these the files that need altering if I were to do it manually:
>
> ?/cgi/ajax/phrase : CVE-2021-26703
>
> /cgi/latex2png : CVE-2021-3342
>
> /cgi/toolbox/toolbox : CVE-2021-26704
>
> There also appears to be some changes to be made to XML.pm
>
> Am I interpreting it correctly where it looks as though latex2png will 
> be left as an empty file (deleted) by the end?
>
> I think the page makes it very clear that these are the files that are 
> affected, but I just want to check there aren't any others that the 
> patch addresses. I have looked at the patch, but I try not to 
> underestimate my ability to totally misunderstand the most obvious of 
> things.
>
> My plan is to try the command first on a test EPrints server and if it 
> doesn't?work, do it manually.
>
> Thanks,
>
> James
>
> On Wed, Feb 24, 2021 at 9:27 AM David R Newman via Eprints-tech 
> <eprints-tech at ecs.soton.ac.uk <mailto:eprints-tech at ecs.soton.ac.uk>> 
> wrote:
>
>     Hi all,
>
>     EPrints Services was recently made aware of a small number of
>     security vulnerabilities within the EPrints codebase, affecting
>     both EPrints 3.4 and EPrints 3.3.
>
>     I have created two patch files to fix the vulnerabilities and
>     uploaded them to files.eprints.org
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SFTXDsKYDEJVoPeBQKdxMtaAKZwLRLQXTJ5oSIGbnlc%3D&amp;reserved=0>.
>
>     - EPrints 3.4.2 : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=C3paGujjKK6eRtbnAVp8pdfvnw9c92zvebde0bdAg0M%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=MRezmok266mnurJLKPQkOxrjoz9gVQUuLQbqfaXNOfk%3D&amp;reserved=0>
>
>     - EPrints 3.3.x : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=sJegWWvTP2CTE4I%2F5uIYtKMcFFbWDSEt8mSuiCPixmI%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=sJegWWvTP2CTE4I%2F5uIYtKMcFFbWDSEt8mSuiCPixmI%3D&amp;reserved=0>
>
>
>     The former fixes the EPrints 3.4.2 release and the latter fixes
>     EPrints 3.3 (based on the current HEAD of
>     https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=xA%2BYN28vdTUHLliIUCp2ZyJ7j1OzJm2g6nWE1agkii4%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=xA%2BYN28vdTUHLliIUCp2ZyJ7j1OzJm2g6nWE1agkii4%3D&amp;reserved=0>).
>     These links also provide instructions on how to apply the patch
>     file and some more details on the affected files.? There are
>     references to the Common Vulnerabilities and Exposure (CVE) IDs
>     but as of now these are yet to be published.? All the
>     vulnerabilities identified relate to either Cross-Site Scripting
>     (XSS) or Remote Code Execution (RCE) vulnerabilities. All of these
>     vulnerabilities would require analysis of the codebase to
>     determine an exploit.? It is very unlikely that generic tools used
>     to identify vulnerabilities would discover these, as specific
>     knowledge is required.
>
>     I have also updated to patch these vulnerabilities on both the
>     eprints and eprints3.4 GitHub repositories for the eprints
>     organisation (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=el9sz2Suf2TjIRPSOuEilfYZjzjksmaO%2FYCjRz1QMI0%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=el9sz2Suf2TjIRPSOuEilfYZjzjksmaO%2FYCjRz1QMI0%3D&amp;reserved=0>).
>     The next release of EPrints 3.4 (3.4.3) will have these security
>     fixes in place.
>
>     EPrints Services customers both those who EPrints Services host
>     and those that self-host have either been patched or where this
>     has not been possible, informed of the vulnerabilities and how
>     they can be fixed.
>
>     If you have any follow-up questions please feel free to ask.
>     Hopefully, the CVEs will be published shortly for those interested
>     in more detail.? However, they were raised by a third party, who I
>     have only just given go-ahead to make these public.
>
>     Regards
>
>     David Newman
>
>     Image removed by sender.
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=CaNTfgg450ozW7jpFRUpbuIjjWcd0ndGsT0qws5l3tQ%3D&amp;reserved=0>
>
>     	
>
>     Virus-free. https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=obvmrbg4MalcRW77kGLhM4kz8KdA449U%2Bb2EqGoL%2BCY%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=CaNTfgg450ozW7jpFRUpbuIjjWcd0ndGsT0qws5l3tQ%3D&amp;reserved=0>
>
>
>     *** Options:
>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>     <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>
>     *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=pe%2BUbUpZSew4ymhepbg%2FlhSyLhOumJyGEzGkEiKoWZE%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=%2FymJfRJpIKee9%2BXF8A82ZmVR0mLPC%2FgVEQqgdgK9mhs%3D&amp;reserved=0>
>     *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=O6kydefRYIoasrUliuGlHy38%2F07yI%2F56%2FHZrPLxBWmM%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=O6kydefRYIoasrUliuGlHy38%2F07yI%2F56%2FHZrPLxBWmM%3D&amp;reserved=0>
>
>
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=%2FymJfRJpIKee9%2BXF8A82ZmVR0mLPC%2FgVEQqgdgK9mhs%3D&amp;reserved=0
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=O6kydefRYIoasrUliuGlHy38%2F07yI%2F56%2FHZrPLxBWmM%3D&amp;reserved=0

-- 
Christopher Gutteridge <totl at soton.ac.uk>
You should read our team blog at http://blog.soton.ac.uk/webteam/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/3c8476cb/attachment-0001.html