On Thu, Jan 30, 2014 at 10:53:34AM -0600, Tim Donohue wrote: > Hi Andrew, > > Sorry for the delay in response here. Been busy these past few days.
Responses in-line below. > > On 1/27/2014 10:53 AM, Andrew Reid wrote: > > Yes -- it happens both for my soon-to-deploy test system and > >my mostly-clean DSpace 3.2 prototype. It's mod_jk from an Apache > >front end to Tomcat in the back. There's a sym-link trick, > >the actual app is behind a symlink with a "#" in it, which Tomcat > >converts to a slash. > > Long way to say that, yes, the base URL is <host>/dspace/xmlui. > > > > The actual URL that our security folks' scanner picked up was > >"<host>/dspace/xmlui/static/js/discovery/badfile123.js", which is > >apparently some kind of likely penetration vector. The actual > >error is, "An error has occurred", which is apparently an HTTP 500 > >response. > > > > Without the "static" (for > > "<host>/dspace/xmlui/js/discovery/badfile123.js"), > >I get a different error, it's a "Resource not found", again with the > >stack-traces. > > > > Since Friday, I have also subsequently heard that my security folks > >are unhappy with the 500 response -- can you (or anyone) offer them > >some assurances that this is benign? I noticed, while poking around, > >that other public-facing DSpace installations do the same thing -- > >I won't mention any names, since it's at least possible it's some > >kind of security issue. > > I am able to replicate the 500 response you are seeing. It *only* > seems to occur for URLs of this structure: > > [dspace-xmlui-url]/static/*/*.js > [dspace-xmlui-url]/static/*/*.css > [dspace-xmlui-url]/static/*/*.json > > In other words, the XMLUI path must start with "/static/", and it > must end with either ".js", ".css" or ".json". So, it's a very > specific URL structure that throws this 500 response (all others > will return 404 responses). Actually, I am also seeing it for paths that start with "/theme/", for whatever that's worth -- possibly the same idea, special processing is happening? > The underlying error *IS BENIGN*. Essentially, what is going on here > is that we have some special processing to allow institutions to > easily add custom Javascript or CSS files to their themes. Those > custom files become available on the "/static" path. > > Currently, if someone attempts to reference a .js/.css/.json file > which does NOT exist, DSpace code is unfortunately is throwing a > Java NullPointerException (as it's failing to check if the file > actually exists). Here's the line where the NullPointerException is > thrown: > https://github.com/DSpace/DSpace/blob/master/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/ConcatenationReader.java#L174 > > While this error is annoying and should be caught (and a proper 404 > returned), it is a benign error. No javascript is being executed, > and no problems are being caused in your DSpace instance..it's just > a minor bug in the code. > > That all being said, I've opened up a bug ticket to report this > benign issue. It seems like it shouldn't be too hard to fix, so > hopefully we can get someone to resolve it in the near future. > Please feel free to forward this bug ticket on to your security > folks if it helps: > https://jira.duraspace.org/browse/DS-1896 Thanks so much for running that down -- I'm glad it's benign. The folks who run the penetration testing set-up here also seemed to think it was a mis-categorized 404, but they weren't sure, and the NullPointer bugged them a lot. I'm also unclear on the differences (which were discussed in text I've deleted, for those following along at home) between your set-up and mine -- I may try a simpler set-up in my copious spare time, just to see if I can nail it down. What I have actually done, in the interests of getting my system deployed, is edited the xmlui/exception2html.xslt file to suppress the trace-backs -- since your fixes inside the themes can miss some errors thrown by xmlui, this seems like the right scope, although it does mean that I don't have access to the styling. From my perspective, that's a non-urgent issue that would be interesting to follow up on. These meassures are to get the system deployed, which is now happening. I'm still interested in following up on doing this better, and maybe getting the theme stuff right, but at a more leisurely pace. -- A. -- Dr. Andrew C. E. Reid Physical Scientist, Computer Operations Administrator Center for Theoretical and Computational Materials Science National Institute of Standards and Technology, Mail Stop 8555 Gaithersburg MD 20899 USA [email protected] ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
