[SAC] LDAP web tools and CSRF attacks
Sandro Santilli
strk at kbt.io
Fri Jun 24 08:13:20 PDT 2016
I've spent the day on fixing CSRF vulnerabilities [1].
Both user profile [2], group membership [3] and shell grant [4]
forms were affected and are now fixed, with the added bonus of
an improved handling and logging (more in the commit logs [5]).
The shell granting script (ldap_shell.py) was turned into a
symlink to the group managing script (ldap_group.py) to reduce
future maintainance. Based on calling name, the script changes
its default target group and organizational unit.
But I cannot confirm that the shell granter script works,
at least not while trying to connect to web.osgeo.osuosl.org
as a test user I just created and added to the Shell/telascience
group. What am I missing ? Does it take a different group for
accessing the osuosl machines ?
[1] https://en.wikipedia.org/wiki/Cross-site_request_forgery
[2] https://git.osgeo.org/gogs/sac/web-cgi-bin/issues/1 (*)
[3] https://git.osgeo.org/gogs/sac/web-cgi-bin/issues/2 (*)
[4] https://git.osgeo.org/gogs/sac/web-cgi-bin/issues/3 (*)
[5] https://git.osgeo.org/gogs/sac/web-cgi-bin/commits/master (*)
[6] https://trac.osgeo.org/osgeo/ticket/1735
[7]
* need SAC login
--strk;
More information about the Sac
mailing list