CSRF and XSS vulnerabilities in server manager

security

(Davide Principi) #1

On August 28 2017 23:55 UTC two vulnerabilities affecting the server manager (web management UI) of NethServer have been reported by Gjoko ‘LiquidWorm’ Krstic

Both NS 6 and NS 7 versions are affected.

I’m working on a fix for the UI framework, Nethgui. Further fixes to individual packages could be required, expecially for NS7.

You can mitigate the issue by executing the logoff immediately after using the Server Manager.
See also Personal Safety CSRF Tips for Users (owasp.org) for more best practices…

/cc @dev_team @quality_team


(Davide Principi) #2

The fix is ready for testing! Packages are available for both ns6 and ns7 /cc @quality_team team

https://github.com/NethServer/dev/issues/5345

A new FileUpload Nethgui widget has been implemented to automatize CSRF token manipulations in HTML FORM tags. /cc @dev_team

This is an example of how to use the new FileUpload widget, substituting the previous workaround:

https://github.com/NethServer/nethserver-openvpn/pull/24/files


(Stéphane de Labrusse) #3

Thank You :slight_smile:


(Giacomo Sanchietti) #4

All packages have been released.


(Davide Principi) #5

This topic was automatically closed after 3 days. New replies are no longer allowed.