Hi,
I wonder if you can elaborate on what this does:
"dspace-url/handle/%3Cscript%3Ealert%281%29%3C/script%3E"
Thanks,
Sue
Sue Walker-Thornton
Software Developer/Database Administrator
NASA Langley Research Center|LITES Contract
(757) 224-4074
From: "Oriol Olivé Comadira. Biblioteca UdG" [mailto:[email protected]]
Sent: Friday, December 17, 2010 3:54 AM
To: Thornton, Susan M. (LARC-B702)[LITES]; [email protected]
Subject: Re: [Dspace-tech] DSpace and Cross-site scripting/SQL Injection attack
vulnerabilities?
Hi Sue,
Dspace 1.4.x and earlier was vulnerable to XSS and CSRF because DSpace prints
handle bad requests and don't clean it before...
With XSS you can stole the session cookie from the user that clicks the link,
and with CSRF(Cross site request foreign) you can execute requests with
privileges from the user that clicks the link
Normally, if a site was vulnerable to XSS it was vulnerable to CSRF too.
It's possible that any DSpace 1.5.x was vulnerable too.
You can try:
dspace-url/handle/%3Cscript%3Ealert%281%29%3C/script%3E
However I believe that is not vulnerable to SQL Injection.
Best,
Al 17/12/2010 04:25, En/na Thornton, Susan M. (LARC-B702)[LITES] ha escrit:
Hi,
I am trying to find out if DSpace has ever been tested for cross-site
scripting and/or SQL injection vulnerabilities?
Thanks in advance,
Sue
Sue Walker-Thornton
Software Developer/Database Administrator
NASA Langley Research Center|LITES Contract
SGT, Inc.|130 Research Drive
Hampton, Va. 23666
Office: (757) 224-4074
Mobile: (757) 506-9903
Fax: (757) 224-4001
[email protected]<mailto:[email protected]>
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
DSpace-tech mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/dspace-tech
--
Oriol Olivé Comadira
Biblioteca Universitat de Girona
Projectes
DUGi: Repositori Digital de la Universitat de Girona<http://dugi.udg.edu>
DUGiDoc: Repositori Digital de Documents de la Universitat de
Girona<http://dugi-doc.udg.edu>
DUGiMedia: Repositori Digital d'Àudio i Vídeo de la Universitat de
Girona<http://diobma.udg.edu>
DUGiFonsEspecials: Repositori dels Fons Especials de la Biblioteca de la
Universitat de Girona<http://dugifonsespecials.udg.edu>
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
