Hi,
Thanks for the report. We have filed an issue and will take a look.
Andy
On July 11, 2017 at 4:48:35 PM, Matt Vander Werf () wrote: Hello,
Please see the report below of a cross-site scripting security vulnerability found in the MaDDash software we have installed on one of our systems. This report came from the Information Security Office at the University of Texas at Austin. --
Matt Vander Werf
HPC System Administrator
University of Notre Dame
Center for Research Computing - Union Station
506 W. South Street
South Bend, IN 46601
... ---------- Forwarded message ---------- From: UT Information Security Office <>Date: Mon, Jul 10, 2017 at 9:00 PMSubject: [ISOTicket: 1684893] UT/ISO -- Verified Vulnerable Web Page [129.74.85.59 - ND.EDU] To: ============================== ===========================
THE FOLLOWING ALERT IS THE PRODUCT OF A VULNERABILITY
DETECTION SERVICE SPONSORED BY U.T. AUSTIN.
=========================================================
The Information Security Office at the University of Texas at Austin
has found the following web page to be vulnerable to a high-risk application attack:
HOST: 129.74.85.59 [ps-crc-mesh-1.crc.nd.edu]
DATE: 2017-07-10 18:22:58 CST/CDT
GET: http://ps-crc-mesh-1.crc.nd.edu/maddash-webui/details.cgi?uri=%3C/script%3E%3Cscript%3Ealert(150)%3C/script%3E
ATTACK DETAILS:
This page is vulnerable to Cross-site scripting attacks.
Cross-site scripting attacks, in general, are an issue because
they are enabling attacks. Specially-crafted malicious URLs can
steal authentication tokens/cookies when a logged-in user visits them,
giving the attacker full access to that user's account in the application.
Reflected XSS attacks, in particular, are a concern as they can be used to
socially engineer a user into clicking on what appears to be a legitimate URL.
Please also consider the following:
- Web application security testing should be performed regularly,
especially for any public web applications. This includes
tracking application inventory, general code review and vulnerability
assessments using web application security testing tools.
- All input received by the web server should be checked before
it is processed. The best method is to remove all unwanted input and
accept only expected input. For example, ensure angle brackets are
not allowed in any input to any Web page fields. Additionally, no
syntactic input should be allowed. Syntactic input can come from
databases, other servers, etc. All input into a Web application must
be filtered to ensure the delivery of clean content to individuals using
your service.
- Other References:
OWASP Guide to Building Secure Web Applications and Web Services
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
UT-Austin: Minimum Security Standards for Application Development and Administration
https://security.utexas.edu/policies/standards_application
Please let us know if you believe any of this information to be inaccurate
so that we can be of better service in the future.
We hope this information is helpful.
Information Security Office
The University of Texas at Austin
| 512.475.9242
http://security.utexas.edu
=======================================
https://www.facebook.com/utaustiniso
https://twitter.com/UT_ISO
=======================================
--
You received this message because you are subscribed to the Google Groups "Infosec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to .
To post to this group, send email to .
To view this discussion on the web visit https://groups.google.com/a/nd.edu/d/msgid/infosec-group/201707110100.v6B10Da0012243%40relay.infosec.utexas.edu.
|
