<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="Helvetica, Arial, sans-serif">Hi Maher,</font></p>
<div class="moz-cite-prefix">
<p><font face="Helvetica, Arial, sans-serif">To check whether the CSRF token is appearing you will need to look into the HTML source for something like:</font></p>
</div>
<div class="moz-cite-prefix">
<p><span><font face="Helvetica, Arial, sans-serif"><<span class="start-tag">input</span>
<span class="attribute-name">id</span>="<a class="attribute-value">csrf_token</a>"
<span class="attribute-name">name</span>="<a class="attribute-value">csrf_token</a>"
<span class="attribute-name">type</span>="<a class="attribute-value">hidden</a>" <span class="attribute-name">
value</span>="<TIMESTAMP><a class="attribute-value">:<HASH></a>" <span>/</span>><br>
<br>
Where </font></span><span><font face="Helvetica, Arial,
sans-serif"><span><font face="Helvetica, Arial, sans-serif"><TIMESTAMP></font></span> is something like 1573375123 and <HASH> is something like 0123456789abcdef0</font></span><span><font face="Helvetica, Arial, sans-serif"><span><font face="Helvetica, Arial, sans-serif">123456789abcdef.</font></span>
You will need to have at least reloaded Apache (e.g. apachectl graceful) for the addition of EPRINTS_PATH/archives/ARCHIVE_NAME/cfg/cfg.d/csrf_protection.pl to be applied to you running configuration. The HTML shown above will only appear in forms if you
are logged in as a user. So will not appear in the actual login form (/cgi/users/login) or the search forms (/cgi/search/simple or/cgi/search/advanced) unless you are logged in. CSRF protection only applies when an authenticated user is trying to make a
request, as they would likely have permissions that an unauthenicated user may not.</font></span></p>
<p><span><font face="Helvetica, Arial, sans-serif">One thing that should be noted is that staticly generated abstract pages will not contain csrf_token's for their export forms. This is because these exports do not require user authentication and as the page
and subsequently the form are generated without the concept of a user being logged in the forms will not get a csrf_token. I guess this would cause an uninformed vulnerability scanner to report an error. Either you should add an exception to your scanner
or if it is still a concern (although I believe it causes no security risk) remove the tools box from your abstract page configuration. I would usually add the following line to ARCHIVENAME/cfg/cfg.d/plugins.pl:</font></span></p>
<p><span><font face="Helvetica, Arial, sans-serif">$c->{plugins}{"Screen::EPrint::Box::Tools"}{params}{disable} = 1;</font></span></p>
<p><span><font face="Helvetica, Arial, sans-serif"><span><font face="Helvetica, Arial, sans-serif">Before reloading Apache,
</font></span>you will need to run:</font></span></p>
<p><span><font face="Helvetica, Arial, sans-serif">EPRINTS_PATH/bin/epadmin refresh_abstracts ARCHIVE_NAME</font></span></p>
<p><span><font face="Helvetica, Arial, sans-serif">Hopefully this is helpful. There may be other places where read-only forms like abstract page export exists that could record an error in your vulnerability scanner. If you could report specific pages and
the specific action URLs of the forms that is reporting the vulnerability, I can take a look. If it is something that effects a whole class of pages like the abstract page situation I described, a single example should be sufficient for me to investigate.<br>
</font></span></p>
<p><span><font face="Helvetica, Arial, sans-serif">Regards</font></span></p>
<p><span><font face="Helvetica, Arial, sans-serif">David Newman<br>
</font></span></p>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 10/11/2019 05:24, Maher Abdellatif Ahmad Qahwash wrote:<br>
</div>
<blockquote type="cite" cite="mid:df20f16c6e324168bc1d380bbabe3fbc@SRVINFMBX01.kfupm.edu.sa">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Newman,<o:p></o:p></span></p>
<p class="MsoNormal" dir="RTL" style="text-align:left;direction:rtl;unicode-bidi:embed" align="right">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It's a new installation and the file exist under this path (EPRINTS_PATH /archives/</span><span dir="LTR">
</span><span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">ARCHIVE_NAME /cfg/cfg.d) but our security team is doing a vulnerability scan using Acunetix and it's giving CSRF Token missing error on all pages.<o:p></o:p></span></p>
<p class="MsoNormal" dir="RTL" style="text-align:left;direction:rtl;unicode-bidi:embed" align="right">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Is there a way we can verify that CSRF token are being applied?<o:p></o:p></span></p>
<p class="MsoNormal" dir="RTL" style="text-align:left;direction:rtl;unicode-bidi:embed" align="right">
<span dir="LTR" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Newman D.R. [<a class="moz-txt-link-freetext" href="mailto:drn@ecs.soton.ac.uk">mailto:drn@ecs.soton.ac.uk</a>]
<br>
<b>Sent:</b> Thursday, November 07, 2019 3:13 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:eprints-tech@ecs.soton.ac.uk">
eprints-tech@ecs.soton.ac.uk</a>; Maher Abdellatif Ahmad Qahwash<br>
<b>Subject:</b> Re: [EP-tech] CSRF<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" cellspacing="3" cellpadding="0" border="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt
.75pt">
<pre><span dir="RTL" lang="AR-SA">تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن</span><o:p></o:p></pre>
<pre>Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.<o:p></o:p></pre>
<pre>____________________________________________________________<o:p></o:p></pre>
</td>
</tr>
</tbody>
</table>
<p>Hi Maher,<o:p></o:p></p>
<p>This depends if you have just created a new repository/archive or if you have upgraded to 3.4.1 for an existing archive. For the latter you will need to manually copy EPRINTS_PATH/lib/defaultcfg_zero/cfg.d/csrf_protection.pl to you archive (i.e. EPRINTS_PATH/archives/ARCHIVE_NAME/cfg.d/csrf_protection.pl).
Otherwise csrf_protection.pl should have automatically added to you archive on creation. Either way it is best you change the csrf_token_salt config variable to something else. Generating a suitable token salt can be done using OpenSSL:<o:p></o:p></p>
<p>openssl rand -base64 8<o:p></o:p></p>
<p>8 characters should be more than sufficient, as the current time is also used in generating each token. Using the default token salt gives you improved security but is not ideal as a determined hacker could work out valid tokens they could use.<o:p></o:p></p>
<p>Regards<o:p></o:p></p>
<p>David Newman<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">On 07/11/2019 11:54, Maher Abdellatif Ahmad Qahwash via Eprints-tech wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Hi <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">We are running eprints 3.4.1 and would like know if CSRF is enabled by default or we need to enable it in the configuration?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Thanks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Maher<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt"><br>
<br>
<o:p></o:p></span></p>
<pre>*** Options: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fmailman.ecs.soton.ac.uk%252fmailman%252flistinfo%252feprints%252dtech%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-d8da8bcc19de80eb0ce4452485e58f68a10f097a&data=01%7C01%7C%7C534d19312c044039e12608d765bed08b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=jWa7lr1gjcNPxu2X0HoVy6sW2ntIDxqYBFzFATlvfMQ%3D&reserved=0" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fmailman.ecs.soton.ac.uk%2fmailman%2flistinfo%2feprints%2dtech&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-d8da8bcc19de80eb0ce4452485e58f68a10f097a" shash="SQkSxvVCb0gZ5NpOOZW5EPbC+z1GJxfRYi8m1Pctf0uMoXTUTYpoPE0j62vDtUU6B1igBDIRpMgbqlzQUmnMGytBoVQCL65UglL3blam1rbG9+s8eY/fq94tPGzo8hEh+ProJ6rS2WQa7plq9RqL3bJ0yILsxCTLhQB1Yh/FiIQ=" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fmailman.ecs.soton.ac.uk%2fmailman%2flistinfo%2feprints%2dtech&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-d8da8bcc19de80eb0ce4452485e58f68a10f097a" shash="eE5pD8aryCeaSHLIHnNmEPMJ6E06RcbziBSvhJT9GdP2leeLxnHPFrjUgQTocGfTfBI+VAi1Q7DcrtVbzLQqwwON0H7gh5Gp9LB7JhLUjItp7bLyNVFySOWdwWv+a8VqgfBig8sre+W5B/OpmICHUVdNYFAZtoeuSP8xfs/urgs=" moz-do-not-send="true">http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech</a><o:p></o:p></pre>
<pre>*** Archive: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fwww.eprints.org%252ftech.php%252f%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-353468600e43e6d8e80d0df4d800b0343c7b4e7c&data=01%7C01%7C%7C534d19312c044039e12608d765bed08b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=AYmT2AoXmPG77MWJtsjvPnrkFsLIfeTkfhpzQtDS2M4%3D&reserved=0" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.eprints.org%2ftech.php%2f&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-353468600e43e6d8e80d0df4d800b0343c7b4e7c" shash="rmfIhOVyjvlmWogkSn50fxlTrKNd9tJbzHobYbomc6QLCt0M7w2dpuKJkWoVl0GStB/nfxf2gAFIw1uBhViRfms9NuGcski1yIOffEIjIwfqgYlmy3h44KrLMZufBCEfbN2im3yAWwD6uTohRoOlFRS7ZDcrVOu51a04DQuuMH4=" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.eprints.org%2ftech.php%2f&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-353468600e43e6d8e80d0df4d800b0343c7b4e7c" shash="yn1eRHbdfODiz65SM+iaj/5Rbsf6KYc0jYCVJ17Lx73eaOFMR/1DBMTrcGsyYXMzCV6l/BIUOOMjtv9YT5E724hYS/SOGHHVNEJv2SXr1PCKrrGZBBABg0msv9BtdvkfEyGBHszO1tnI0gOIlxY4eG0KsyzT7Tl0ou2UCwCz8JI=" moz-do-not-send="true">http://www.eprints.org/tech.php/</a><o:p></o:p></pre>
<pre>*** EPrints community wiki: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fwiki.eprints.org%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-02a4a9970dd9e34eabe440223c257afd1f5451b0&data=01%7C01%7C%7C534d19312c044039e12608d765bed08b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=GhG0outoIY0e7EF8ApdZCE3ASDwLLUU1Bl1Uh5Yk1Qc%3D&reserved=0" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwiki.eprints.org&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-02a4a9970dd9e34eabe440223c257afd1f5451b0" shash="ciBMpkrHb9aIjxvj0z3OL9C2W3i4N/+9RXYLVMq86TY1POGba6d/QHUUjFGbGg9gHokWqM4oUgcnKauvH10KDVl9a+Ik+R39JiIiPNTW7+5SA5xMQRdLUCHe/Grdw8CYZtp0MDdR3q4E72oMoALIr79ZOG34azPfT0C/TlOjtqo=" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwiki.eprints.org&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-02a4a9970dd9e34eabe440223c257afd1f5451b0" shash="fnzgr71b6Crk6oMGzwPKDIqARn/4i3DipGoX/KF6Z5T52F3z7626OjYbpWcCyONWy+3HrjoIqUD+Z9uHd1WshzjvZcJaINYOB/Zq9K+rD+Z3PWObeO+5cboxWvZ2rv8+lfKQNw+10+nF9hCoIDB729lsYEoSZj+vfqMYGSk04Po=" moz-do-not-send="true">http://wiki.eprints.org/</a><o:p></o:p></pre>
<pre>*** EPrints developers Forum: <a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fimsva91-ctp.trendmicro.com%3A443%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttp%253a%252f%252fforum.eprints.org%26umid%3D4A2CBA3C-96F7-4405-89EF-8E57960DED71%26auth%3Dec34f7633709e8bd85e48c7fc0c92c09c079e558-e391eacbb88af9590818e48684d2a0502c96ecd2&data=01%7C01%7C%7C534d19312c044039e12608d765bed08b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=jmGIasUD3qNZ6o9MttRQJ9tzR1HweflFKC0TvoEpSY0%3D&reserved=0" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fforum.eprints.org&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-e391eacbb88af9590818e48684d2a0502c96ecd2" shash="Fa7hgdETuO2EGmet+N1Yn1l04c3AAMWmXLufeQO7ItPLqhODwSrIkyemQN5xXvcbBVb1gZLh6nIwwoEjraBwGIAVeHDzsUQexEnbpQkRoyTpWhs5CnmzfV4uVSUlj6K9OyUfH0VfXJZ21a1mj7DJ3xH1VCGhy10U1WOMKGq3Hcw=" originalsrc="https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fforum.eprints.org&umid=4A2CBA3C-96F7-4405-89EF-8E57960DED71&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-e391eacbb88af9590818e48684d2a0502c96ecd2" shash="N3/FylgIhwEqMcZiB3EX2Vbp/lyTgzkU+ZQ9sAksLcz0jXN5XapNmSxyz/+OYssEnkWYotG2RLGuYW1/aNv2ZgU5kP+vISVrNF8cM7HNAwY1w04hBBj44La5GD5Ymhgw6p+FJI5fGJC8JrmTEpF2btf+vpq02unPQb1fRI0bMCE=" moz-do-not-send="true">http://forum.eprints.org/</a><o:p></o:p></pre>
</blockquote>
</div>
</blockquote>
</body>
</html>