DSpace 7 - Search functionality

[Robert Jäger]

Hi,

I am currently performing vulnerability scans for some university work on a webserver hosting DSpace 7.

During scan I do get some results related to the search functionality, which appear to be false positives to me. From what I understood this is related to the fact that DSpace always delivers a search result regardless what kind of folder, file, parameter is appeded after /search/ URL.

I am trying to understand how the DSpace search functionality works in order to confirm the vulnerability findings are false positives. Is there any reference on how URL decoding of the search functionality is handled available?

Up to now I was unable to find the same, but I may just have the wrong keywords for finding the right place.

DSpace version used: 7.1.1 (can't upgrade right now)

URL used by vulnerability scanner: https://<domain>/search/index.php?osCsid=a815a815a815a815

(This is a test for some known vulnerability of older versions of osCommerce application)

TL/DR: Just to be clear: I don't see this reported vulnerability to be an actual DSpace issue, I am searching for a good reference, why this behaviour is observed, only.

Thanks in advance for pointing me in the right direction

Robert