Security Fix for Islandora 7.x-1.2 and above
390 views
Skip to first unread message
Islandora
Apr 22, 2016, 1:26:36 PM4/22/16
to isla...@googlegroups.com, island...@googlegroups.com
A security issue has been identified in core Islandora by Mitchell MacKenzie that would allow an attacker to use some of its endpoints as open proxies. A hotfix patch has been developed for immediate application that disables the functionality of these endpoints. It takes the form of two modules, each of which closes one of the endpoints in question. Updates for the modules affected have also been proposed and will be released as soon as possible so that the patched functionality can be restored.
Drupal's security risk level definition would qualify this vulnerability as:
11/25 (Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
The risk is mitigated by the fact that it requires an above-average knowledge of the internals of Drupal and the Islandora stack to discover and exploit, and by the fact that server configuration can plug potential targets of open proxies.
Hotfix: https://github.com/Islandora-Labs/islandora_patches
Drupal's security risk level definition would qualify this vulnerability as:
11/25 (Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
The risk is mitigated by the fact that it requires an above-average knowledge of the internals of Drupal and the Islandora stack to discover and exploit, and by the fact that server configuration can plug potential targets of open proxies.
Hotfix: https://github.com/Islandora-Labs/islandora_patches
bro...@barnard.edu
Apr 22, 2016, 4:40:55 PM4/22/16
to islandora, comm...@islandora.ca
Can this be 'pinned'?
Simon Mai
Apr 25, 2016, 9:49:00 AM4/25/16
to islandora-dev, isla...@googlegroups.com, comm...@islandora.ca
Hi,
I installed the patch for our sites.
The 1st disable download clip is disabled correctly, yet the 2nd one isn't.
Is the second one printing? I still seem to be able to print fine.
Looking at the code, you disable this menu link: islandora/object/%islandora_object/print
but is that link supposed to be like this: islandora/object/%islandora_object/print_object
Thanks.
Simon.
Jared Whiklo
Apr 27, 2016, 8:21:29 AM4/27/16
to isla...@googlegroups.com, island...@googlegroups.com, comm...@islandora.ca
Hi Simon,
There are actually 2 print endpoints. One at /Islandora/object/<PID>/print and one at /Islandora/object/<PID>/print_object.
I'm not actually sure why there are two, but the one that was shut down is used by the openSeadragon module and this is where the vulnerability was located.
So even though you don't use it, that endpoint did still exist.
Cheers,
Jared
--
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to the Google Groups "islandora" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora+...@googlegroups.com.
Visit this group at https://groups.google.com/group/islandora.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/6809def2-8590-42ec-9b58-af59a1fb7127%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
dl...@islandora.ca
Feb 2, 2017, 8:54:57 AM2/2/17
to islandora, island...@googlegroups.com, comm...@islandora.ca
This issue has been resolved (for a while now), so I'm leaving this notice up to make sure people know and unpinning this thread in two weeks.
~Danny
~Danny
On Wednesday, April 27, 2016 at 9:21:29 AM UTC-3, Jared Whiklo wrote:
Hi Simon,
There are actually 2 print endpoints. One at /Islandora/object/<PID>/print and one at /Islandora/object/<PID>/print_object.
I'm not actually sure why there are two, but the one that was shut down is used by the openSeadragon module and this is where the vulnerability was located.
So even though you don't use it, that endpoint did still exist.
Cheers,
Jared
On 25 Apr 2016 8:49 a.m., "Simon Mai" <master....@gmail.com> wrote:
--Hi,I installed the patch for our sites.The 1st disable download clip is disabled correctly, yet the 2nd one isn't.Is the second one printing? I still seem to be able to print fine.Looking at the code, you disable this menu link: islandora/object/%islandora_object/printbut is that link supposed to be like this: islandora/object/%islandora_object/print_objectThanks.Simon.
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to the Google Groups "islandora" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/islandora.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/6809def2-8590-42ec-9b58-af59a1fb7127%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
On Wednesday, April 27, 2016 at 9:21:29 AM UTC-3, Jared Whiklo wrote:
Hi Simon,
There are actually 2 print endpoints. One at /Islandora/object/<PID>/print and one at /Islandora/object/<PID>/print_object.
I'm not actually sure why there are two, but the one that was shut down is used by the openSeadragon module and this is where the vulnerability was located.
So even though you don't use it, that endpoint did still exist.
Cheers,
Jared
On 25 Apr 2016 8:49 a.m., "Simon Mai" <master....@gmail.com> wrote:
--Hi,I installed the patch for our sites.The 1st disable download clip is disabled correctly, yet the 2nd one isn't.Is the second one printing? I still seem to be able to print fine.Looking at the code, you disable this menu link: islandora/object/%islandora_object/printbut is that link supposed to be like this: islandora/object/%islandora_object/print_objectThanks.Simon.
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to the Google Groups "islandora" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/islandora.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/6809def2-8590-42ec-9b58-af59a1fb7127%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
On Wednesday, April 27, 2016 at 9:21:29 AM UTC-3, Jared Whiklo wrote:
Hi Simon,
There are actually 2 print endpoints. One at /Islandora/object/<PID>/print and one at /Islandora/object/<PID>/print_object.
I'm not actually sure why there are two, but the one that was shut down is used by the openSeadragon module and this is where the vulnerability was located.
So even though you don't use it, that endpoint did still exist.
Cheers,
Jared
On 25 Apr 2016 8:49 a.m., "Simon Mai" <master....@gmail.com> wrote:
--Hi,I installed the patch for our sites.The 1st disable download clip is disabled correctly, yet the 2nd one isn't.Is the second one printing? I still seem to be able to print fine.Looking at the code, you disable this menu link: islandora/object/%islandora_object/printbut is that link supposed to be like this: islandora/object/%islandora_object/print_objectThanks.Simon.
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to the Google Groups "islandora" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages