[GeoNode-devel] Fixing JSONP enabled by default in MappingJackson2JsonView

Naresh N naresh919 at gmail.com
Wed Aug 14 04:05:24 PDT 2019 

Dear Alessio,

Thanks for quick response.  The application scanned using *Acunetix*
software and it is showing the security alert JSONP enabled by default in
MappingJackson2JsonView

Please find the below Request and Response headers which is listed by
Acunetix software

*Request Header*
GET /*api/groups/?callback=crldpcnlxk&jsonp=crldpcnlxk&cb=crldpcnlxk&json=crldpcnlxk
HTTP/1.1*
Cookie: csrftoken=bYBRus0eSrnR36SeDSU6CJpxx6gmLX1z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: XXX.XX.X.XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive

*Response Header*

HTTP/1.1 200 OK
Date: Tue, 13 Aug 2019 10:43:50 GMT
Server: Apache
Vary: Accept,Accept-Language,Cookie,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Language: en
Cache-Control: no-cache
Cache-Control: max-age=300
Expires: Tue, 13 Aug 2019 10:48:50 GMT
Content-Length: 113
Keep-Alive: timeout=100, max=65
Connection: Keep-Alive
Content-Type: text/javascript
Original-Content-Encoding: gzip

*crldpcnlxk({"meta": {"limit": 10, "next": null, "offset": 0, "previous":
null, "total_count": 0}, "objects": []})*



Is any thing related to GeoServer ( As it is written in  java and spring
framework is used)?

*The alert is coming when it is sending the requests to   /api/base or
/api/groups.  Is there any way we can block when request to api comes with
callback function as argument(specifically jsonp).   *

*If we remove JSONP from the request,will the issue resolve? But what is
dependency with GeoNode.*

Kindly help me to resolve above mentioned security related alert.

Thanks&Regards,
Naresh.N

On Tue, Aug 13, 2019 at 1:10 PM Alessio Fabiani <
alessio.fabiani at geo-solutions.it> wrote:

> Dear Naresh,
> I got the occasion to look a bit to this, but I'm pretty sure your
> software is giving you a false flag.
>
> First of all GeoNode is not using Spring, therefore the solution you
> propose makes no sense.
>
> Secondly I tried the api url by trying several jsonp callbacks and got no
> issues.
>
> If you can possibly provide more information on the issue you are
> currently experiencing, or at least describe better how to reproduce it,
> I'll try to dig more into it.
>
> Kind regards,
> Alessio.
>
>
>
> Il giorno mar 13 ago 2019 alle ore 06:18 Naresh N <naresh919 at gmail.com>
> ha scritto:
>
>> Dear Alessio,
>>
>> Thanks a lot. Please help me to resolve.
>>
>> Best Regards,
>> Naresh.N
>>
>> On Mon, Aug 12, 2019 at 7:20 PM Alessio Fabiani <
>> alessio.fabiani at geo-solutions.it> wrote:
>>
>>> Hello Naresh,
>>> thanks for the feedback. Let me double check and try to fix it
>>> accordingly.
>>> Will send you updates as soon as possible. Regards.
>>>
>>> Il giorno mer 7 ago 2019 alle ore 11:38 Naresh N <naresh919 at gmail.com>
>>> ha scritto:
>>>
>>>> Dear All,
>>>>
>>>> We have used GeoNode for development of our portal SUVIDHA.  As  a
>>>> part  of security check   scanned our SUVIDHA portal for vulnerabilities ,
>>>> it is showing following security alert
>>>>
>>>> * J**SONP enabled by default in MappingJackson2JsonView *
>>>>
>>>> *Reported request header is as follows*
>>>>
>>>>   GET
>>>> /api/profiles/?callback=kdeltofpmt&jsonp=kdeltofpmt&cb=kdeltofpmt&json=kdeltofpmt
>>>> HTTP/1.1 Cookie: csrftoken=NuHnIHPRdzkH6pyi1XmrWpx6Z0v60gsW Accept:
>>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> Accept-Encoding: gzip,deflate Host: 172.26.3.222 User-Agent: Mozilla/5.0
>>>> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>>>> Chrome/73.0.3683.103 Safari/537.36 Connection: Keep-alive
>>>>
>>>> How do I need to fix above?
>>>>
>>>>  *It recommendation to fix is mentioned in the following link*
>>>>
>>>> https://www.acunetix.com/vulnerabilities/web/jsonp-enabled-by-default-in-mappingjackson2jsonview/
>>>>
>>>>
>>>> Please help me how do find this module in GeoNode and how to fix ?.
>>>>
>>>> Please do the needful.
>>>>
>>>> Thanks & Regards,
>>>> Naresh.N
>>>>
>>>
>>>
>>> --
>>>
>>> ==
>>>
>>> GeoServer Professional Services from the experts! Visit
>>> http://goo.gl/it488V for more information.
>>> ==
>>> Ing. Alessio Fabiani
>>>
>>> @alfa7691
>>> Founder/Technical Lead
>>>
>>>
>>> GeoSolutions S.A.S.
>>> Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
>>> phone: +39 0584 962313
>>> fax:     +39 0584 1660272
>>> mob:   +39 331 6233686
>>>
>>>
>>> http://www.geo-solutions.it
>>> http://twitter.com/geosolutions_it
>>> -------------------------------------------------------
>>>
>>> Con riferimento alla normativa sul trattamento dei dati personali (Reg.
>>> UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
>>> precisa che ogni circostanza inerente alla presente email (il suo
>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>>>
>>>
>>> This email is intended only for the person or entity to which it is
>>> addressed and may contain information that is privileged, confidential or
>>> otherwise protected from disclosure. We remind that - as provided by
>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
>>> e-mail or the information herein by anyone other than the intended
>>> recipient is prohibited. If you have received this email by mistake, please
>>> notify us immediately by telephone or e-mail.
>>>
>>
>
> --
>
> ==
>
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information.
> ==
> Ing. Alessio Fabiani
>
> @alfa7691
> Founder/Technical Lead
>
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
> phone: +39 0584 962313
> fax:     +39 0584 1660272
> mob:   +39 331 6233686
>
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
> -------------------------------------------------------
>
> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
> precisa che ogni circostanza inerente alla presente email (il suo
> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>
>
> This email is intended only for the person or entity to which it is
> addressed and may contain information that is privileged, confidential or
> otherwise protected from disclosure. We remind that - as provided by
> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
> e-mail or the information herein by anyone other than the intended
> recipient is prohibited. If you have received this email by mistake, please
> notify us immediately by telephone or e-mail.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20190814/ee75573e/attachment-0001.html>

More information about the geonode-devel mailing list