Potential security issue

[Evan Genske]

Hi there,

I'm a cybersecurity student at KSU and was poking around online and came across what looks to be an admin endpoint for the genome browser. It is linked below.

hgdownload.soe.ucsc.edu/admin/

Not sure how big of a security risk this is, a lot of it is already accessible via the publicly accessible Github, but there's some exposed config files and a MariaDB dump file (not sure what defenses you have in place but this would make it a lot easier for someone to construct an SQLi attack against your server). The exposed MariaDB dump file also shows information such as what (outdated) version of MariaDB is running (which is apparent given the fact that the dump is from 2 weeks prior to this email).

If you have any questions, let me know and I'll try to be of assistance.

- Evan Genske

[Jairo Navarro Gonzalez]

Hello,

Thank you for using the UCSC Genome Browser and sending your inquiry.

We've reviewed the issues you mentioned and can confirm this isn't a security concern at this time. Thank you again for reaching out about this potential security concern. We appreciate responsible disclosure from the cybersecurity community.

If you have any further questions, please reply to gen...@soe.ucsc.edu.
All messages sent to that address are archived on a publicly accessible Google Groups forum.
If your question includes sensitive data, you may send it instead to genom...@soe.ucsc.edu.

Jairo Navarro
UCSC Genome Browser

--

---
You received this message because you are subscribed to the Google Groups "UCSC Genome Browser Public Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to genome+un...@soe.ucsc.edu.
To view this discussion visit https://groups.google.com/a/soe.ucsc.edu/d/msgid/genome/CACMoaT0qkQWDGvp3wvax2jXJb8FaeFOEfx%2BCV_WS6R7WUue%3DFQ%40mail.gmail.com.