[SAC] LDAP web tools and CSRF attacks
strk at kbt.io
Fri Jun 24 08:13:20 PDT 2016
I've spent the day on fixing CSRF vulnerabilities .
Both user profile , group membership  and shell grant 
forms were affected and are now fixed, with the added bonus of
an improved handling and logging (more in the commit logs ).
The shell granting script (ldap_shell.py) was turned into a
symlink to the group managing script (ldap_group.py) to reduce
future maintainance. Based on calling name, the script changes
its default target group and organizational unit.
But I cannot confirm that the shell granter script works,
at least not while trying to connect to web.osgeo.osuosl.org
as a test user I just created and added to the Shell/telascience
group. What am I missing ? Does it take a different group for
accessing the osuosl machines ?
 https://git.osgeo.org/gogs/sac/web-cgi-bin/issues/1 (*)
 https://git.osgeo.org/gogs/sac/web-cgi-bin/issues/2 (*)
 https://git.osgeo.org/gogs/sac/web-cgi-bin/issues/3 (*)
 https://git.osgeo.org/gogs/sac/web-cgi-bin/commits/master (*)
* need SAC login
More information about the Sac