Possible vulnerability detected - DSpace 6.3

[Hernan Carvajal Briceño]

Hello.

I'm finding this kind of alerts in the logs of Apache:

114.113.145.25 - - [22/Apr/2021:07:36:46 -0400] "GET /thinkphp/html/public/index.php HTTP/1.1" 302 247
112.124.1.110 - - [20/Apr/2021:04:05:44 -0400] "GET /thinkphp/html/public/index.php HTTP/1.1" 302 247
81.70.203.63 - - [20/Apr/2021:02:41:01 -0400] "GET /thinkphp/html/public/index.php HTTP/1.1" 302 247
139.155.35.209 - - [16/Apr/2021:08:22:43 -0400] "GET /thinkphp/html/public/index.php HTTP/1.1" 302 247

This is possibly related to this alerts that we're receiving from the antivirus system:

 https://nvd.nist.gov/vuln/detail/CVE-2019-9082 

 https://nvd.nist.gov/vuln/detail/CVE-2018-20062corresponden

We have DSpace v6.3

Any knowledge about this?

Saludos,

Hernán Carvajal

Libre de virus. www.avast.com

[FILIPPOS KOLOVOS]

Dear Sir,

I do not think that this kind of log alerts have anything to do with DSpace. DSpace is using Java Technology and JSP/XML for the frontend and not at all PHP.

These requests you are seeing in Apache are probably "fishing" requests to check IF your server has a thinkphp installation and if so, IF the vulnerability exists.

The response they are getting on the other hand is that this a redirect (302), which means that they can find the content in another server, which is included in your server's response header back to the client.

To which server your Apache installation redirects the users? If it is a simple HTTP => HTTPS redirection then in the log files you will also find a lot of "NOT FOUND" (404) HTTP responses for the same requests later on in the log file if you do not have a thinkphp installation.

If not, you may want to check if you have a thinkphp installation somewhere in this, or another server and check to see if it is secured from that CVE.

Best Regards,

-Fk

--
All messages to this mailing list should adhere to the Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-communi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/CAE7AYAJVpaeogG51PvZRm9%3DNoJBukQcVFL3eVBj%3DuVsq97Z_Qg%40mail.gmail.com.

--

Filippos Kolovos

Software Systems Analyst & Engineer
M.Sc. (Eng.) in Data Communications

Automation & Networking Department
University of Macedonia Library
Egnatia 156,
546 36 Thessaloniki, Greece

E-Mail: fili...@uom.edu.gr
Profile: http://gr.linkedin.com/in/filipposkolovos
Phone: +30-2310-891-826
----------------------------------------------

[Tim Donohue]

Just wanted to note that Filippos is completely correct.  DSpace includes no PHP code, so it is not vulnerable to any PHP based attacks. 

Tim

---

From: 'FILIPPOS KOLOVOS' via DSpace Community <dspace-c...@googlegroups.com>
Sent: Wednesday, April 28, 2021 1:48 AM
To: DSpace Community <dspace-c...@googlegroups.com>
Subject: Fwd: [dspace-community] Possible vulnerability detected - DSpace 6.3

 

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/CAHEC7xsevfYTo2XZWQxTALW--ZgsMAcuthxohE45u5wWguz1OA%40mail.gmail.com.

[Hernan Carvajal Briceño]

Thank you very much dear Filippos and Tim!

Saludos,

Hernán Carvajal

Libre de virus. www.avast.com

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/DM5PR2201MB1148D3C9B97C363386F57EEBED409%40DM5PR2201MB1148.namprd22.prod.outlook.com.