[EP-tech] EPrints Security Announcement - February 2020
Christopher Gutteridge
totl at soton.ac.uk
Wed Feb 24 15:10:59 GMT 2021
I would definitely use mathjax over the cgi route.
Our server has the js added to cfg/lang/en/templates/default.xml
<script type="text/x-mathjax-config">
MathJax.Hub.Config({tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']]}});
</script>
<script type="text/javascript" async="async"
src="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fmathjax%2F2.7.1%2FMathJax.js%3Fconfig%3DTeX-MML-AM_CHTML&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MPPzshm9xkLtt2%2B8B4WWjtqmWppkby5Zf3T%2B1G6tC0c%3D&reserved=0">
</script> And nothing else. Maybe that's enough to get it to work?
On 24/02/2021 14:35, John Salter via Eprints-tech wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> I was wondering if anyone had integrated any javascript libraries
> (e.g. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mathjax.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sKHhm5uOEQvcorDjJMvb8wLDE1E0ef8YyxtpGqx4Nhk%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mathjax.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sKHhm5uOEQvcorDjJMvb8wLDE1E0ef8YyxtpGqx4Nhk%3D&reserved=0>) to
> achieve something similar to this?
>
> Cheers,
> John
> ------------------------------------------------------------------------
> *From:* eprints-tech-bounces at ecs.soton.ac.uk
> <eprints-tech-bounces at ecs.soton.ac.uk> on behalf of Alan.Stiles via
> Eprints-tech <eprints-tech at ecs.soton.ac.uk>
> *Sent:* 24 February 2021 14:03
> *To:* eprints-tech at ecs.soton.ac.uk <eprints-tech at ecs.soton.ac.uk>
> *Subject:* Re: [EP-tech] EPrints Security Announcement - February 2020
> *CAUTION:* This e-mail originated outside the University of Southampton.
>
> The patch does leave latex2png empty.
>
> We still use this to include e.g. mathematical symbology in item
> abstracts so we have added some sanitisation to the input parameter in
> that cgi script rather than removing the function completely (3.3.15
> or 16 here).
>
> Alan
>
> *From: *<eprints-tech-bounces at ecs.soton.ac.uk> on behalf of
> "eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>
> *Reply to: *"eprints-tech at ecs.soton.ac.uk"
> <eprints-tech at ecs.soton.ac.uk>, James Kerwin <jkerwin2101 at gmail.com>
> *Date: *Wednesday, 24 February 2021 at 13:41
> *To: *"eprints-tech at ecs.soton.ac.uk" <eprints-tech at ecs.soton.ac.uk>,
> David R Newman <drn at ecs.soton.ac.uk>
> *Subject: *Re: [EP-tech] EPrints Security Announcement - February 2020
>
> CAUTION: This mail comes from outside the University. Please consider
> this before opening attachments, clicking links, or acting on the
> content.
>
> *CAUTION:*This e-mail originated outside the University of Southampton.
>
> Hi David,
>
> Thank you very much for bringing this to our attention and providing
> the solutions.
>
> Shamefully, we are still on 3.3.14 (I promise we are upgrading this
> year). The patch mentioned works on 3.3.16 and the page says it might
> work on earlier versions (a brief look through two of the files
> suggests they're more or less the same as those for 3.3.16)
>
> In my attempt to avoid any problems that could result from "might" are
> these the files that need altering if I were to do it manually:
>
> /cgi/ajax/phrase : CVE-2021-26703
>
> /cgi/latex2png : CVE-2021-3342
>
> /cgi/toolbox/toolbox : CVE-2021-26704
>
> There also appears to be some changes to be made to XML.pm
>
> Am I interpreting it correctly where it looks as though latex2png will
> be left as an empty file (deleted) by the end?
>
> I think the page makes it very clear that these are the files that are
> affected, but I just want to check there aren't any others that the
> patch addresses. I have looked at the patch, but I try not to
> underestimate my ability to totally misunderstand the most obvious of
> things.
>
> My plan is to try the command first on a test EPrints server and if it
> doesn't work, do it manually.
>
> Thanks,
>
> James
>
> On Wed, Feb 24, 2021 at 9:27 AM David R Newman via Eprints-tech
> <eprints-tech at ecs.soton.ac.uk <mailto:eprints-tech at ecs.soton.ac.uk>>
> wrote:
>
> Hi all,
>
> EPrints Services was recently made aware of a small number of
> security vulnerabilities within the EPrints codebase, affecting
> both EPrints 3.4 and EPrints 3.3.
>
> I have created two patch files to fix the vulnerabilities and
> uploaded them to files.eprints.org
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SFTXDsKYDEJVoPeBQKdxMtaAKZwLRLQXTJ5oSIGbnlc%3D&reserved=0>.
>
> - EPrints 3.4.2 : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657396866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=C3paGujjKK6eRtbnAVp8pdfvnw9c92zvebde0bdAg0M%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MRezmok266mnurJLKPQkOxrjoz9gVQUuLQbqfaXNOfk%3D&reserved=0>
>
> - EPrints 3.3.x : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sJegWWvTP2CTE4I%2F5uIYtKMcFFbWDSEt8mSuiCPixmI%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sJegWWvTP2CTE4I%2F5uIYtKMcFFbWDSEt8mSuiCPixmI%3D&reserved=0>
>
>
> The former fixes the EPrints 3.4.2 release and the latter fixes
> EPrints 3.3 (based on the current HEAD of
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xA%2BYN28vdTUHLliIUCp2ZyJ7j1OzJm2g6nWE1agkii4%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xA%2BYN28vdTUHLliIUCp2ZyJ7j1OzJm2g6nWE1agkii4%3D&reserved=0>).
> These links also provide instructions on how to apply the patch
> file and some more details on the affected files. There are
> references to the Common Vulnerabilities and Exposure (CVE) IDs
> but as of now these are yet to be published. All the
> vulnerabilities identified relate to either Cross-Site Scripting
> (XSS) or Remote Code Execution (RCE) vulnerabilities. All of these
> vulnerabilities would require analysis of the codebase to
> determine an exploit. It is very unlikely that generic tools used
> to identify vulnerabilities would discover these, as specific
> knowledge is required.
>
> I have also updated to patch these vulnerabilities on both the
> eprints and eprints3.4 GitHub repositories for the eprints
> organisation (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=el9sz2Suf2TjIRPSOuEilfYZjzjksmaO%2FYCjRz1QMI0%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=el9sz2Suf2TjIRPSOuEilfYZjzjksmaO%2FYCjRz1QMI0%3D&reserved=0>).
> The next release of EPrints 3.4 (3.4.3) will have these security
> fixes in place.
>
> EPrints Services customers both those who EPrints Services host
> and those that self-host have either been patched or where this
> has not been possible, informed of the vulnerabilities and how
> they can be fixed.
>
> If you have any follow-up questions please feel free to ask.
> Hopefully, the CVEs will be published shortly for those interested
> in more detail. However, they were raised by a third party, who I
> have only just given go-ahead to make these public.
>
> Regards
>
> David Newman
>
> Image removed by sender.
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CaNTfgg450ozW7jpFRUpbuIjjWcd0ndGsT0qws5l3tQ%3D&reserved=0>
>
>
>
> Virus-free. https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=obvmrbg4MalcRW77kGLhM4kz8KdA449U%2Bb2EqGoL%2BCY%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CaNTfgg450ozW7jpFRUpbuIjjWcd0ndGsT0qws5l3tQ%3D&reserved=0>
>
>
> *** Options:
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657406823%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pe%2BUbUpZSew4ymhepbg%2FlhSyLhOumJyGEzGkEiKoWZE%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FymJfRJpIKee9%2BXF8A82ZmVR0mLPC%2FgVEQqgdgK9mhs%3D&reserved=0>
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O6kydefRYIoasrUliuGlHy38%2F07yI%2F56%2FHZrPLxBWmM%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O6kydefRYIoasrUliuGlHy38%2F07yI%2F56%2FHZrPLxBWmM%3D&reserved=0>
>
>
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FymJfRJpIKee9%2BXF8A82ZmVR0mLPC%2FgVEQqgdgK9mhs%3D&reserved=0
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C8345e1db2f4f4bef1e4008d8d8d666de%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497762657416777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O6kydefRYIoasrUliuGlHy38%2F07yI%2F56%2FHZrPLxBWmM%3D&reserved=0
--
Christopher Gutteridge <totl at soton.ac.uk>
You should read our team blog at http://blog.soton.ac.uk/webteam/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/3c8476cb/attachment-0001.html
More information about the Eprints-tech
mailing list