<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Newman,<o:p></o:p></span></p>
<p class="MsoNormal" align="right" dir="RTL" style="text-align:left;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It's a new installation and the file exist under this path (EPRINTS_PATH /archives/</span><span dir="LTR">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">ARCHIVE_NAME /cfg/cfg.d) but our security team is doing a vulnerability scan using Acunetix and it's giving CSRF Token missing error on all pages.<o:p></o:p></span></p>
<p class="MsoNormal" align="right" dir="RTL" style="text-align:left;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Is there a way we can verify that CSRF token are being applied?<o:p></o:p></span></p>
<p class="MsoNormal" align="right" dir="RTL" style="text-align:left;direction:rtl;unicode-bidi:embed">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Newman D.R. [mailto:drn@ecs.soton.ac.uk]
<br>
<b>Sent:</b> Thursday, November 07, 2019 3:13 PM<br>
<b>To:</b> eprints-tech@ecs.soton.ac.uk; Maher Abdellatif Ahmad Qahwash<br>
<b>Subject:</b> Re: [EP-tech] CSRF<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="3" cellpadding="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt .75pt">
<pre><span lang="AR-SA" dir="RTL">تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن</span><o:p></o:p></pre>
<pre>Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.<o:p></o:p></pre>
<pre>____________________________________________________________<o:p></o:p></pre>
</td>
</tr>
</tbody>
</table>
<p>Hi Maher,<o:p></o:p></p>
<p>This depends if you have just created a new repository/archive or if you have upgraded to 3.4.1 for an existing archive. For the latter you will need to manually copy EPRINTS_PATH/lib/defaultcfg_zero/cfg.d/csrf_protection.pl to you archive (i.e. EPRINTS_PATH/archives/ARCHIVE_NAME/cfg.d/csrf_protection.pl).
Otherwise csrf_protection.pl should have automatically added to you archive on creation. Either way it is best you change the csrf_token_salt config variable to something else. Generating a suitable token salt can be done using OpenSSL:<o:p></o:p></p>
<p>openssl rand -base64 8<o:p></o:p></p>
<p>8 characters should be more than sufficient, as the current time is also used in generating each token. Using the default token salt gives you improved security but is not ideal as a determined hacker could work out valid tokens they could use.<o:p></o:p></p>
<p>Regards<o:p></o:p></p>
<p>David Newman<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">On 07/11/2019 11:54, Maher Abdellatif Ahmad Qahwash via Eprints-tech wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Hi <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">We are running eprints 3.4.1 and would like know if CSRF is enabled by default or we need to enable it in the configuration?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Thanks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Maher<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt"><br>
<br>
<o:p></o:p></span></p>
<pre>*** Options: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fmailman.ecs.soton.ac.uk%252fmailman%252flistinfo%252feprints%252dtech%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-d8da8bcc19de80eb0ce4452485e58f68a10f097a&data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdb88982428394398148408d7659ea342%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=ilIRtfWb6n7QY86funUGR%2Budez4Q1opdBDqElP8RqGI%3D&reserved=0" originalSrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fmailman.ecs.soton.ac.uk%2fmailman%2flistinfo%2feprints%2dtech&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-d8da8bcc19de80eb0ce4452485e58f68a10f097a" shash="xQqYPO8P6CjoBNl4Aq9/ZCbDKqfDkZK2AzJheEQENyVLOdD3hykRvhjnov3IHDJACXOzbb4dLzTrDTilu+4VRC6T2D0EhhAc2MbCqwWWttX7mvVGl/ZpXCViSX43B7C+Rt3LRyG0IUFTImFttloofbW6Oy7o7hFtoZCA6g5gpN8=">http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech</a><o:p></o:p></pre>
<pre>*** Archive: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fwww.eprints.org%252ftech.php%252f%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-353468600e43e6d8e80d0df4d800b0343c7b4e7c&data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdb88982428394398148408d7659ea342%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=GT0vQI4YRDJDFfpSE5PsyAkqh%2FBYFeqcs8x%2FvL%2FRH9g%3D&reserved=0" originalSrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.eprints.org%2ftech.php%2f&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-353468600e43e6d8e80d0df4d800b0343c7b4e7c" shash="lCMTnXS2GpAEr4zbkQsRzU2jvtYU7TkAGMwNx1MIs7y4WHGhr4ksUdv+HTIQbetl7TfPdPMev8j3GtEZWBNQlp0rrYQWYI9nR4M3mRI0//Z7E5mQwCIH4fZTaCS39siXqSyywBHH7Xn9YOl8FqEj9Pm+HBhyEG4DjyV7aWby/Rg=">http://www.eprints.org/tech.php/</a><o:p></o:p></pre>
<pre>*** EPrints community wiki: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fwiki.eprints.org%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-02a4a9970dd9e34eabe440223c257afd1f5451b0&data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdb88982428394398148408d7659ea342%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=bp4lFoQEOJOVpW%2Bil3KfG%2B%2Bn7RoGkUbDZ8PuwYziRJE%3D&reserved=0" originalSrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwiki.eprints.org&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-02a4a9970dd9e34eabe440223c257afd1f5451b0" shash="fyeB0oeqddTLtM2AWMNE943fH0jqnpDGHT4sY+2l24kW8Rr7dFhhkVKcfCcEORZQEy1P9iZ2kySBYhC9QgTY2yqVSKExBPpyP2Zn0eyxxpjgJ6byLzogNUD60HnTeEiHMpYmU6+sOxkNRVBE0ItR0wA7Sf27G//sVhd05MpKtMc=">http://wiki.eprints.org/</a><o:p></o:p></pre>
<pre>*** EPrints developers Forum: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fforum.eprints.org%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-e391eacbb88af9590818e48684d2a0502c96ecd2&data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdb88982428394398148408d7659ea342%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=XTfEAQ4qmZsvr58OZHLnZq%2BQsdWhiPmaL7aRca6Tujo%3D&reserved=0" originalSrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fforum.eprints.org&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-e391eacbb88af9590818e48684d2a0502c96ecd2" shash="U1ZpcnZmoEoitGn60QA1HsUCACaqLODJFysZ13jGfqT/TzlITyAS7bi/aQDfTdneIYsX9nogYt+KUAVpYh8HANmxCkve/YLvRb6WfT6Fzewkmc674YkGgjWEgaSajp3rmwrhVExTJKMCeH/Z32hm7JQiYe/jq/6B+/OcuWTiUmQ=">http://forum.eprints.org/</a><o:p></o:p></pre>
</blockquote>
</div>
</body>
</html>