[jira] [Commented] (CONNECTORS-1596) brute-force vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1596?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16803005#comment-16803005 ] Karl Wright commented on CONNECTORS-1596: - The ManifoldCF UI is not expected to be used in an open web environment, but in a back-office environment. Security protections designed to prevent remote hackers from getting into the UI using sophisticated tools are therefore not expected. Similarly, there will be no attempt to implement dual-factor authentication for the MCF admin UI. > brute-force vulnerability > - > > Key: CONNECTORS-1596 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1596 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Priority: Minor > > As a result of a pen test, it appears there is no functionality to counter > brute-force attacks for logging in. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CONNECTORS-1595) cross-site request forgery vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16802998#comment-16802998 ] Karl Wright commented on CONNECTORS-1595: - Please describe (1) what the attack looks like and (2) how this compromises MCF security. > cross-site request forgery vulnerability > > > Key: CONNECTORS-1595 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1595 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Priority: Minor > > It appears that manifoldcf does not implement any CSRF protection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CONNECTORS-1594) insecure cookie configuration vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16802996#comment-16802996 ] Karl Wright commented on CONNECTORS-1594: - The issue described will not in any way hijack what MCF indexes. The concern is that the session ID can be retrieved by a man-in-the-middle should you be crawling a Broadvision site that has both http and https pages. I would argue that that is in fact a site design issue, not a MCF security vulnerability. > insecure cookie configuration vulnerability > --- > > Key: CONNECTORS-1594 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1594 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Priority: Minor > > The application session cookie "JSESSIONID" does not have Secure and HTTPOnly > flags set. > The application uses an HTTP cookie as session identifier. The Set-Cookie > instruction sent by the application to the browser does not specifically > instruct the browser to only use the cookie on secure communication channels > (HTTPS). As the instruction is missing, browsers will fall back to their > default setting, generally meaning that the cookie will be used on both > secure and insecure communication channels. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CONNECTORS-1597) reflected cross-site scripting vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16802984#comment-16802984 ] Karl Wright commented on CONNECTORS-1597: - Please give more details. Bear in mind that ManifoldCF does not execute any Javascript, so offhand I find this hard to believe. > reflected cross-site scripting vulnerability > > > Key: CONNECTORS-1597 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1597 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Priority: Minor > > As a result from a pen test, a reflected cross-site scripting vulnerability > was discovered -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (CONNECTORS-1597) reflected cross-site scripting vulnerability
roel goovaerts created CONNECTORS-1597: -- Summary: reflected cross-site scripting vulnerability Key: CONNECTORS-1597 URL: https://issues.apache.org/jira/browse/CONNECTORS-1597 Project: ManifoldCF Issue Type: Improvement Components: API Affects Versions: ManifoldCF 2.12 Reporter: roel goovaerts As a result from a pen test, a reflected cross-site scripting vulnerability was discovered -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (CONNECTORS-1594) insecure cookie configuration vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] roel goovaerts updated CONNECTORS-1594: --- Summary: insecure cookie configuration vulnerability (was: insecure cookie configuration) > insecure cookie configuration vulnerability > --- > > Key: CONNECTORS-1594 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1594 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Priority: Minor > > The application session cookie "JSESSIONID" does not have Secure and HTTPOnly > flags set. > The application uses an HTTP cookie as session identifier. The Set-Cookie > instruction sent by the application to the browser does not specifically > instruct the browser to only use the cookie on secure communication channels > (HTTPS). As the instruction is missing, browsers will fall back to their > default setting, generally meaning that the cookie will be used on both > secure and insecure communication channels. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (CONNECTORS-1596) brute-force vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1596?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] roel goovaerts updated CONNECTORS-1596: --- Summary: brute-force vulnerability (was: brute-force protection) > brute-force vulnerability > - > > Key: CONNECTORS-1596 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1596 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Priority: Minor > > As a result of a pen test, it appears there is no functionality to counter > brute-force attacks for logging in. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (CONNECTORS-1595) cross-site request forgery vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] roel goovaerts updated CONNECTORS-1595: --- Summary: cross-site request forgery vulnerability (was: cross-site request forgery) > cross-site request forgery vulnerability > > > Key: CONNECTORS-1595 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1595 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Priority: Minor > > It appears that manifoldcf does not implement any CSRF protection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (CONNECTORS-1596) brute-force protection
roel goovaerts created CONNECTORS-1596: -- Summary: brute-force protection Key: CONNECTORS-1596 URL: https://issues.apache.org/jira/browse/CONNECTORS-1596 Project: ManifoldCF Issue Type: Improvement Components: API Affects Versions: ManifoldCF 2.12 Reporter: roel goovaerts As a result of a pen test, it appears there is no functionality to counter brute-force attacks for logging in. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (CONNECTORS-1595) cross-site request forgery
roel goovaerts created CONNECTORS-1595: -- Summary: cross-site request forgery Key: CONNECTORS-1595 URL: https://issues.apache.org/jira/browse/CONNECTORS-1595 Project: ManifoldCF Issue Type: Improvement Components: API Affects Versions: ManifoldCF 2.12 Reporter: roel goovaerts It appears that manifoldcf does not implement any CSRF protection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (CONNECTORS-1594) insecure cookie configuration
roel goovaerts created CONNECTORS-1594: -- Summary: insecure cookie configuration Key: CONNECTORS-1594 URL: https://issues.apache.org/jira/browse/CONNECTORS-1594 Project: ManifoldCF Issue Type: Improvement Components: API Affects Versions: ManifoldCF 2.12 Reporter: roel goovaerts The application session cookie "JSESSIONID" does not have Secure and HTTPOnly flags set. The application uses an HTTP cookie as session identifier. The Set-Cookie instruction sent by the application to the browser does not specifically instruct the browser to only use the cookie on secure communication channels (HTTPS). As the instruction is missing, browsers will fall back to their default setting, generally meaning that the cookie will be used on both secure and insecure communication channels. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: intro
Sorry for the delay, I would have answered today. Greet Piergiorgio on my behalf Matteo Grolla Il giorno mer 20 mar 2019 alle ore 13:54 ashish kumar singh < ashishrohitraj...@gmail.com> ha scritto: > Thanks for your help ,I have talked to piergiorgio . > > On Wednesday, March 20, 2019, Karl Wright wrote: > > > Hello Ashish, > > > > Welcome! > > > > The fellow you need to interact with for the Azure connector is > Piergiorgio > > Lucidi. Have you talked with him? > > > > Karl > > > > > > On Wed, Mar 20, 2019 at 3:15 AM ashish kumar singh < > > ashishrohitraj...@gmail.com> wrote: > > > > > Hi! ,My name is Ashish Kumar Singh. I am a 3rd year B.Tech > undergraduate > > in > > > Computer Science at Galgotias University ,Uttar Pradesh ,India. I would > > > like to contribue on the GSOC project-Azure Storage Repository > Connector. > > > > > > -- Le informazioni trasmesse sono da intendere solo per la persona e/o società a cui sono indirizzate, possono contenere documenti confidenziali e/o materiale riservato. Qualsiasi modifica, inoltro, diffusione o altro utilizzo, relativo alle informazioni trasmesse, da parte di persone e/o società, diversi dai destinatari indicati, è proibito ai sensi della legge 196/2003. Se Lei ha ricevuto questa mail per errore, per favore contatti il mittente e cancelli queste informazioni da ogni computer. The information contained in this message is intended only for use of the individual(s) named above and may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you are not the intended recipient of this message you are hereby notified that you must not use, disseminate, copy it in any form or take any action in reliance of it. If you have received this message in error please delete it and any copies of it and notify the sender immediately.
[jira] [Commented] (CONNECTORS-1491) GSOC: Azure Storage Output Connector
[ https://issues.apache.org/jira/browse/CONNECTORS-1491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16802656#comment-16802656 ] Xin Chen commented on CONNECTORS-1491: -- Hi [~piergiorgioluc...@gmail.com], I’m a second-year student in a master’s program in [University of Science and Technology of China|https://www.ustc.edu.cn/] and interested to take this feature as my project for GSOC 2019. I have already submitted my proposal today. Can you guide me with the proceedings. Thanks:) > GSOC: Azure Storage Output Connector > > > Key: CONNECTORS-1491 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1491 > Project: ManifoldCF > Issue Type: New Feature > Components: Azure Storage Output Connector >Reporter: Piergiorgio Lucidi >Assignee: Piergiorgio Lucidi >Priority: Major > Labels: cloud, gsoc2018, gsoc2019, java, junit > Original Estimate: 480h > Remaining Estimate: 480h > > This is a project idea for [Google Summer of > Code|https://summerofcode.withgoogle.com/] (GSOC). > To discuss this or other ideas with your potential mentor from the Apache > ManifoldCF project, sign up and post to the dev@manifoldcf.apache.org list, > including "[GSOC]" in the subject. You may also comment on this Jira issue if > you have created an account. > We would like to extend the Content Migration capabilities adding Azure > Storage as a new output connector for importing contents from one or more > repositories supported by ManifoldCF. In this way we will help developers on > migrating contents from different data sources on Azure Storage. > You will be involved in the development of the following tasks, you will > learn how to: > * Write the connector implementation > * Implement unit tests > * Build all the integration tests for testing the connector inside the > framework > * Write the documentation for this connector > You will find a technical description about all the references to the Azure > Java SDK on an existing issue on our JIRA: > https://issues.apache.org/jira/browse/CONNECTORS-1441 > > We have a complete documentation on how to implement an Output Connector: > [https://manifoldcf.apache.org/release/release-2.9.1/en_US/writing-output-connectors.html] > Take a look at our book to understand better the framework and how to > implement connectors: > [https://github.com/DaddyWri/manifoldcfinaction/tree/master/pdfs] > > Prospective GSOC mentor: > [piergior...@apache.org|mailto:piergior...@apache.org] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
