Re: [Dspace-tech] DSpace and Cross-site scripting/SQL Injection attack vulnerabilities?

Fri, 17 Dec 2010 01:47:01 -0800 

Hi Sue,
Dspace 1.4.x and earlier was vulnerable to XSS and CSRF because DSpace prints handle bad requests and don't clean it before... With XSS you can stole the session cookie from the user that clicks the link, and with CSRF(Cross site request foreign) you can execute requests with privileges from the user that clicks the link 
Normally, if a site was vulnerable to XSS it was vulnerable to CSRF too.

It's possible that any DSpace 1.5.x was vulnerable too.

You can try:
dspace-url/handle/%3Cscript%3Ealert%281%29%3C/script%3E


However I believe that is not vulnerable to SQL Injection.

Best,



Al 17/12/2010 04:25, En/na Thornton, Susan M. (LARC-B702)[LITES] ha escrit:


Hi,
I am trying to find out if DSpace has ever been tested for cross-site scripting and/or SQL injection vulnerabilities? 

Thanks in advance,

Sue

*/ /*

*/ /*

*/Sue Walker-Thornton/*

*/Software Developer/Database Administrator/*

*/NASA Langley Research Center|LITES Contract/*

*/SGT, Inc.|130 Research Drive/*

*/Hampton, Va.  23666/*

*/Office: (757) 224-4074/*

*/Mobile: (757) 506-9903/*

*/Fax: (757) 224-4001/*

*/susan.m.thorn...@nasa.gov/*


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d


_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech


--
Oriol Olivé Comadira
*Biblioteca Universitat de Girona*
/Projectes/
DUGi: Repositori Digital de la Universitat de Girona <http://dugi.udg.edu>
DUGiDoc: Repositori Digital de Documents de la Universitat de Girona <http://dugi-doc.udg.edu> DUGiMedia: Repositori Digital d'Àudio i Vídeo de la Universitat de Girona <http://diobma.udg.edu> DUGiFonsEspecials: Repositori dels Fons Especials de la Biblioteca de la Universitat de Girona <http://dugifonsespecials.udg.edu> 
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech

Reply via email to