[GeoNode-users] Cross-site scripting test - Security related - Issue

Mon Oct 1 05:49:25 PDT 2018

Dear Alessio Fabiani,

Thanks for responding. I will go through the shared links.

I have asked my query in publicly , as it is not a major security alert and
only need some better mechanism. Sorry to send to publicly and I will
follow your advise now on wards

Best Regards,
Naresh

On Mon, Oct 1, 2018 at 5:55 PM Alessio Fabiani <
alessio.fabiani at geo-solutions.it> wrote:

> I'm not quite sure why you are identifying this as a security issue, could
> you please elaborate?
>
> However, the outcome is a side effect of "django-tastypie" paginator log
>
> see
> https://github.com/django-tastypie/django-tastypie/blob/master/tastypie/paginator.py#L56
>
> In order to avoid reporting used inputs on the error message, the quickest
> solution would be to make "ModelResource" classes using a custom paginator,
> as explained here
>
> https://django-tastypie.readthedocs.io/en/latest/paginator.html
>
> In case you are not able to do that, please open an issue on GeoNode
> github.
>
> Moreover, as a general suggestion:
>
> 1. Questions on technical issues must be sent to geonode-devel list and,
> in the case, they are identified as issues, in order to be taken into
> account they must be correctly explained on a github issue of GeoNode
> repository.
>
> 2. It is a very bad practice to report potential security issue publicly.
> That would be very risky for everyone running a GeoNode instance around,
> other than you. Next time, please, send private emails to the GeoNode PSC
> members.
>
>
>
>
>
>
>
>
>
>
> Il giorno lun 1 ott 2018 alle ore 08:44 Naresh N <naresh919 at gmail.com> ha
> scritto:
>
>> Dear All,
>>
>> We have used GeoNode for development of our portal SUVIDHA.   As a part
>> of security  we have changed the parameter value * 'limit' *in following
>> url to verify  c*ross- site scripting  attack.*
>>
>> *Requested URL:*
>>
>>
>> http://bhuvan-suvidha.nrsc.gov.in/api/base/?limit=10&offset=0&title__icontains=&
>> *limit=10'%22()%26%25<acx><ScRiPt%20>promp*
>> *t(971923)</ScRiPt>*
>> &offset=0&title__icontains=e&type__in=raster&undefined=undefined
>>
>> *Response for above URL:*
>>
>>  {"error": "Invalid limit '10'\"()&%<acx><ScRiPt
>> >prompt(971923)</ScRiPt>' provided. Please provide a positive integer."}
>>
>> Although it is not accepted wrongly given input, but error message
>> contains user given input in given format. As per cross site scripting when
>> ever any meta characters( Special Characters) appears in url, *the
>> application should encode the special characters. Since response not
>> contained encoded user **given** input,So The given request treated as
>> security alert for **cross-site** scripting attack*
>>
>> Please help me how to make all GET Request parameters to encode before
>> proceeding further steps
>>
>> Is that any setting is available for making all the requested GET
>> parameters to encode in GeoNode /Django?
>>
>> Thanks&Regards,
>> Naresh
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>
>
>
> --
>
> ==
>
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information.
> ==
> Ing. Alessio Fabiani
>
> @alfa7691
> Founder/Technical Lead
>
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
> phone: +39 0584 962313
> fax:     +39 0584 1660272
> mob:   +39 331 6233686
>
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
> -------------------------------------------------------
>
> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
> precisa che ogni circostanza inerente alla presente email (il suo
> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>
>
> This email is intended only for the person or entity to which it is
> addressed and may contain information that is privileged, confidential or
> otherwise protected from disclosure. We remind that - as provided by
> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
> e-mail or the information herein by anyone other than the intended
> recipient is prohibited. If you have received this email by mistake, please
> notify us immediately by telephone or e-mail.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20181001/d426d926/attachment-0001.html>