[GeoNode-users] Cross-site scripting test - Security related - Issue

Alessio Fabiani alessio.fabiani at geo-solutions.it
Mon Oct 1 05:25:03 PDT 2018


I'm not quite sure why you are identifying this as a security issue, could
you please elaborate?

However, the outcome is a side effect of "django-tastypie" paginator log

see
https://github.com/django-tastypie/django-tastypie/blob/master/tastypie/paginator.py#L56

In order to avoid reporting used inputs on the error message, the quickest
solution would be to make "ModelResource" classes using a custom paginator,
as explained here

https://django-tastypie.readthedocs.io/en/latest/paginator.html

In case you are not able to do that, please open an issue on GeoNode github.

Moreover, as a general suggestion:

1. Questions on technical issues must be sent to geonode-devel list and, in
the case, they are identified as issues, in order to be taken into account
they must be correctly explained on a github issue of GeoNode repository.

2. It is a very bad practice to report potential security issue publicly.
That would be very risky for everyone running a GeoNode instance around,
other than you. Next time, please, send private emails to the GeoNode PSC
members.










Il giorno lun 1 ott 2018 alle ore 08:44 Naresh N <naresh919 at gmail.com> ha
scritto:

> Dear All,
>
> We have used GeoNode for development of our portal SUVIDHA.   As a part of
> security  we have changed the parameter value * 'limit' *in following url
> to verify  c*ross- site scripting  attack.*
>
> *Requested URL:*
>
>
> http://bhuvan-suvidha.nrsc.gov.in/api/base/?limit=10&offset=0&title__icontains=&
> *limit=10'%22()%26%25<acx><ScRiPt%20>promp*
> *t(971923)</ScRiPt>*
> &offset=0&title__icontains=e&type__in=raster&undefined=undefined
>
> *Response for above URL:*
>
>  {"error": "Invalid limit '10'\"()&%<acx><ScRiPt
> >prompt(971923)</ScRiPt>' provided. Please provide a positive integer."}
>
> Although it is not accepted wrongly given input, but error message
> contains user given input in given format. As per cross site scripting when
> ever any meta characters( Special Characters) appears in url, *the
> application should encode the special characters. Since response not
> contained encoded user **given** input,So The given request treated as
> security alert for **cross-site** scripting attack*
>
> Please help me how to make all GET Request parameters to encode before
> proceeding further steps
>
> Is that any setting is available for making all the requested GET
> parameters to encode in GeoNode /Django?
>
> Thanks&Regards,
> Naresh
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-users
>


-- 

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
for more information.
==
Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead


GeoSolutions S.A.S.
Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
phone: +39 0584 962313
fax:     +39 0584 1660272
mob:   +39 331 6233686


http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.


This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20181001/1dd2d1d8/attachment.html>


More information about the geonode-users mailing list