<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>It's not appropriate to discuss software vulnerabilities on a publicly archived thread. If a bug does exist, then it should be raised quietly so that people get told about it at the same time as an upgrade or patch to fix it.</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 28/03/2019 09:55, Adam Field via Eprints-tech wrote:<br>
</div>
<blockquote type="cite" cite="mid:EMEW3|ca0b235634abbe5cb3fec7d5e14db83fv2R9uq14eprints-tech-bounces|ecs.soton.ac.uk|13BAEB7D-F001-4671-90FE-6AA5E5F38F1F@adamfield.net">
<meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; We’ve had a report from an independent security researcher (Jisc’s policy encourages reporting of issues) that EPrints suffers from a CSRF vulnerability.&nbsp; The fix for this would be to add tokens
 to forms so that EPrints can validate that a submitted form was one that it generated.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; This is obviously a fairly complex problem to solve, with changes to multiple parts of EPrints, probably requiring a new field type, as well as the storing of tokens somewhere (perhaps a new
 dataset).&nbsp; Has anyone taken a look at this?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">--<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Adam<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">*** Options: <a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech">http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech</a>
*** Archive: <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7Ce8159371f7ae4b09ef9a08d6b36c5b27%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=eUIQul%2BRi0U49MY9sMbu9mlmQ%2BhoTYlQlK3yQj6jhLs%3D&amp;reserved=0" originalsrc="http://www.eprints.org/tech.php/" shash="BIWTeSBCw8BKXXVFryd/tPaLHjF3PYEPn7/BfhPCbQ09BGWTjXBPgRHsGQTBN4poG&#43;PZ1vWzj5WbAqRlT6Gca7nNIFxnJlvr2fXmHQnGEDJUpXQtQvDetFddkmQi5lDIDei02A72DZkSRGrsGnLzdOtVx9&#43;rT11nHojbePRkTSE=">http://www.eprints.org/tech.php/</a>
*** EPrints community wiki: <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7Ce8159371f7ae4b09ef9a08d6b36c5b27%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=iL9lfJuzdPACx3icQufbtfYquLOxM8Iz95bATfIWGh8%3D&amp;reserved=0" originalsrc="http://wiki.eprints.org/" shash="gBb3RKD2y4OmDZ6sbHHgTbKUAfSVo80p46ppEAEpeTx&#43;VMKHC6GTG9kzOg95JgusIcuEgXkVeBC7l5/s7y36eKky/hIllBjbGn9sHVMJegPH4XsvRIUfvMWshiZ1g3X3HJFtAvKg3WBgg5xgkkAl8BpZV3fBX/BSaRUVQB1XLPA=">http://wiki.eprints.org/</a>
*** EPrints developers Forum: <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fforum.eprints.org%2F&amp;data=01%7C01%7C%7Ce8159371f7ae4b09ef9a08d6b36c5b27%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=Gk5JyoXcDC7MOEc6I7ndBakYJrGalMb2qxs6GuDrneQ%3D&amp;reserved=0" originalsrc="http://forum.eprints.org/" shash="d7BiZYODL8lwSHQ3u43ZKl2r9MID6NO6uYMRqObzPnRObiZ/nVBA3mDTUjeUOKDzWw8kplcSpJ78QIvnT4Ri00eY8&#43;vPy2shw7Waaddv7YspdNNgdtQtPjvabFUVQutwlVHB1Y&#43;tG&#43;PtqXeV7AWrQs7V8IGavEbDgS0Xt7V5Dto=">http://forum.eprints.org/</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">-- 
Christopher Gutteridge <a class="moz-txt-link-rfc2396E" href="mailto:totl@soton.ac.uk">&lt;totl@soton.ac.uk&gt;</a> 
You should read our team blog at <a class="moz-txt-link-freetext" href="http://blog.soton.ac.uk/webteam/">http://blog.soton.ac.uk/webteam/</a></pre>
</body>
</html>