[EP-tech] CSRF Vulnerability in EPrints
adam at adamfield.net
Thu Mar 28 09:55:55 GMT 2019
We’ve had a report from an independent security researcher (Jisc’s policy encourages reporting of issues) that EPrints suffers from a CSRF vulnerability. The fix for this would be to add tokens to forms so that EPrints can validate that a submitted form was one that it generated.
This is obviously a fairly complex problem to solve, with changes to multiple parts of EPrints, probably requiring a new field type, as well as the storing of tokens somewhere (perhaps a new dataset). Has anyone taken a look at this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Eprints-tech