Assistance remediating a few security vulnerabilities ?

[James Bongiovanni]

Hello,

Working to deploy a Guide on the Side instance for my colleagues to test out.  Our Info Security Dept will not open port 80 to the server until I have remediated several items found by their vulnerability scan.  If anyone has suggestions for addressing any of the below items I would welcome them.

Thanks!

Jim

1. Unencrypted Login Request:

• Fix: Always use SSL and POST (body) parameters when sending sensitive information

2. Alternate Version of File Detected:

• Fix: remove old versions of files from the virtual directory:
• URLS:
  http://server.temple.edu/tutorials/provide_feedback/1
  http://server.temple.edu/tutorials/provide_feedback/1/single_page

2. Autocomplete HTML Attribute Not Disabled for Password Field:

• Fix: Correctly set the "autocomplete" attribute to "off"

4. Hidden directory detected

• Fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.
• URLs:
  http://server.temple.edu/cgi-bin/
  http://server.temple.edu/css/
  

[Mike Hagedon]

Hi Jim,

Here's my understanding of these issues:

1. Unencrypted Login Request:

• Fix: Always use SSL and POST (body) parameters when sending sensitive information

This could be solved by running GotS over HTTPS, which could be handled by the server admin. There may be something GotS could do to just run the login over HTTPS, and I agree with your scanning tool that this is a good idea. (We don't do this at UA because we're using Shibboleth with GotS.) Issue opened here: https://github.com/ualibraries/Guide-on-the-Side/issues/108

2. Alternate Version of File Detected:

• Fix: remove old versions of files from the virtual directory:
• URLS:
  http://server.temple.edu/tutorials/provide_feedback/1
  http://server.temple.edu/tutorials/provide_feedback/1/single_page

Sounds like a false positive to me. Those are two different views of the same page, and they should both be there for accessibility reasons.

2. Autocomplete HTML Attribute Not Disabled for Password Field:

• Fix: Correctly set the "autocomplete" attribute to "off"

It looks like browsers are making this a moot point, so I think the scanner should be updated.

The ability for websites to disable the password manager using autocomplete = "off" is being removed in Firefox 30: https://bugzilla.mozilla.org/show_bug.cgi?id=956906

IE11: https://msdn.microsoft.com/en-us/library/ms533486(VS.85).aspx

4. Hidden directory detected

• Fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely.

• URLs: 

• http://server.temple.edu/cgi-bin/

• http://server.temple.edu/css/

This is a server configuration issue.

HTH,

Mike

• 
  

[Nathan Landis]

Just a comment to support issue 108 (thanks for opening that!). We are currently running GOTS admin over https but that breaks the guide preview since the framed page won't load. So we are currently having to open a second browser to preview the guide as we develop it...awkward but it works.

- Nate