Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reports from RadboudUMC security officer #142

Open
cbaakman opened this issue Sep 19, 2023 · 1 comment
Open

Reports from RadboudUMC security officer #142

cbaakman opened this issue Sep 19, 2023 · 1 comment

Comments

@cbaakman
Copy link

cbaakman commented Sep 19, 2023
edited
Loading

We had fairdatapoint running in the following setup:

docker-compose.yml

# docker-compose.yml

version: '3'
services:
    proxy:
        ports:
            - 80:80
            - 443:443
        image: nginx:1.25.2
        volumes:
            # Mount the nginx folder with the configuration
            - /fdp/nginx:/etc/nginx:ro
            # Mount the letsencrypt certificates
            - /etc/ssl:/etc/ssl:ro
        networks:
            - fdp
    fdp:
        image: fairdata/fairdatapoint:1.16
        volumes:
            - /fdp/application.yml:/fdp/application.yml:ro
        networks:
            - fdp

    fdp-client:
        image: fairdata/fairdatapoint-client:1.16
        environment:
            - FDP_HOST=fdp
        networks:
            - fdp
    mongo:
        image: mongo:4.2
        volumes:
            - /fdp/mongo/data:/data/db
        networks:
            - fdp

    blazegraph:
        image: metaphacts/blazegraph-basic:2.2.0-20160908.003514-6
        ports:
            - 8080:8080
        volumes:
            - /fdp/blazegraph:/blazegraph-data
        networks:
            - fdp

application.yml

# application.yml

instance:
    clientUrl: https://fdp.cmbi.umcn.nl
    persistentUrl: https://fdp.cmbi.umcn.nl

security:
    jwt:
        token:
            secret-key:  xxxx

# repository settings (can be changed to different repository)
repository:
    type: 5
    blazegraph:
        url: http://blazegraph:8080/blazegraph/

spring:
    data:
        mongodb:
            uri: mongodb://mongo:27017/fdp

nginx fdp conf

server {
    listen 443 ssl;

    # Enable TLS and forward secrecy
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

    # Generated certificates using certbot, we will mount these in docker-compose.yml
    ssl_certificate /etc/ssl/certs/intranetwiki-bundle_13032023.crt;
    ssl_certificate_key /etc/ssl/private/intranetwiki.cmbi.umcn.nl_13032023.key;

    ssl_dhparam /etc/ssl/certsdhparam.pem;
    ssl_ecdh_curve secp384r1;  # Requires nginx >= 1.1.0

    server_name fdp.cmbi.umcn.nl;

    # We pass all the request to the fdp-client container, we can use HTTP in the internal network
    # fdp-client_1 is the name of the client container in our configuration, we can use it as host
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass_request_headers on;
        proxy_pass http://fdp-client;
        #proxy_pass http://fairdatapoint-client;
    }

    location /blazegraph/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass_request_headers on;
        proxy_pass http://blazegraph:8080/blazegraph/;
    }
}

# We redirect all request from HTTP to HTTPS
server {
    listen 80;
    server_name fdp.cmbi.umcn.nl;
    return 301 https://$host$request_uri;
}

The radboudUMC security officer reports the following security vulnerabilities: (with solutions provided)

  • PivotX Multiple Cross-Site Scripting and Arbitrary File Upload Vulnerabilities
  • PivotX TimThumb Domain Name Security Bypass Vulnerability
    (Customers are advised to upgrade to PivotX 2.3.9 and later to remediate these vulnerabilities.)
  • WordPress NextScripts: Social Networks Auto-Poster Plugin "wp-admin/admin.php" Cross-Site Scripting Vulnerability
    (Customers are advised to install WP NextScripts 4.2.8or later versions to remediate this vulnerability.)
  • Adobe Commerce Improper Input Validation (APSB22-12)
  • Adobe Magento Arbitrary Code Execution Vulnerability (APSB22-38)
    (The issue has been patched: https://helpx.adobe.com/security/products/magento/apsb22-38.html)

Since we're just using the fairdatapoint software, we don't know where these software packages are used in the fairdatapoint code. We're hereby asking the maintainers to solve these issues. Thank you!
@dennisvang dennisvang mentioned this issue Jul 24, 2024
Open
@dennisvang
Copy link

Perhaps the maintainers could enable private-vulnerability-reporting for issues like this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbaakman @dennisvang