Hi,
Just to follow-up on this, last night an update got pushed for maddash to our yum and Debian repos that should address this. The fixed version is version 2.0.1. In particular make sure the maddash-webui package is at 2.0.1. If you are running auto-updates you may already have it. We’ll send out a separate note to make sure people not following this thread see it. Thanks again for bringing it to our attention.
Andy
On July 11, 2017 at 4:53:38 PM, Andrew Lake () wrote:
Hi,
Thanks for the report. We have filed an issue and will take a
look.
Andy
On July 11, 2017 at 4:48:35 PM, Matt Vander
Werf ()
wrote:
Hello,
Please see the report below of a cross-site scripting
security vulnerability found in the MaDDash software we have
installed on one of our systems. This report came from the
Information Security Office at the University of Texas at
Austin.
Thank
you.
--
Matt Vander Werf
HPC System Administrator
University of Notre Dame
Center for Research Computing - Union Station
506 W. South Street
South Bend, IN 46601
...
---------- Forwarded message
----------
From: UT Information Security Office <>
Date: Mon, Jul 10,
2017 at 9:00 PM
Subject: [ISOTicket: 1684893] UT/ISO --
Verified Vulnerable Web Page [129.74.85.59 - ND.EDU]
To:
============================== ===========================
THE FOLLOWING ALERT IS THE PRODUCT OF A VULNERABILITY
DETECTION SERVICE SPONSORED BY U.T. AUSTIN.
=========================================================
The Information Security Office at the University of Texas at
Austin
has found the following web page to be vulnerable to a high-risk
application attack:
HOST: 129.74.85.59 [ps-crc-mesh-1.crc.nd.edu]
DATE: 2017-07-10
18:22:58 CST/CDT
GET: http://ps-crc-mesh-1.crc.nd.edu/maddash-webui/details.cgi?uri=%3C/script%3E%3Cscript%3Ealert(150)%3C/script%3E
ATTACK DETAILS:
This page is vulnerable to Cross-site scripting attacks.
Cross-site scripting attacks, in general, are an issue
because
they are enabling attacks. Specially-crafted malicious URLs
can
steal authentication tokens/cookies when a logged-in user visits
them,
giving the attacker full access to that user's account in the
application.
Reflected XSS attacks, in particular, are a concern as they can be
used to
socially engineer a user into clicking on what appears to be a
legitimate URL.
Please also consider the following:
- Web application security testing should be performed
regularly,
especially for any public web applications. This
includes
tracking application inventory, general code review and
vulnerability
assessments using web application security testing
tools.
- All input received by the web server should be checked
before
it is processed. The best method is to remove all unwanted
input and
accept only expected input. For example, ensure angle
brackets are
not allowed in any input to any Web page fields.
Additionally, no
syntactic input should be allowed. Syntactic input can come
from
databases, other servers, etc. All input into a Web
application must
be filtered to ensure the delivery of clean content to
individuals using
your service.
- Other References:
OWASP Guide to Building Secure Web Applications and Web
Services
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
UT-Austin: Minimum Security Standards for Application
Development and Administration
https://security.utexas.edu/policies/standards_application
Please let us know if you believe any of this information to be
inaccurate
so that we can be of better service in the future.
We hope this information is helpful.
Information Security Office
The University of Texas at Austin
| 512.475.9242
http://security.utexas.edu
=======================================
https://www.facebook.com/utaustiniso
https://twitter.com/UT_ISO
=======================================
--
You received this message because you are subscribed to the Google
Groups "Infosec" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to .
To post to this group, send email to .
To view this discussion on the web visit https://groups.google.com/a/nd.edu/d/msgid/infosec-group/201707110100.v6B10Da0012243%40relay.infosec.utexas.edu.
|
