Our security team ran a nessus scanner on our proposed indico2 machine. This is running indico 2.1.2 with legacy data from indico 1.2.1.
There were 2 problems found. The clickjacking problem could be solved by adding
add_header X-Frame-Options “SAMEORIGIN”;
to the server section of the nginx indico.conf.
But the html injections error I don’t know how to solve. The report shows:
The following resources may be vulnerable to HTML injection :
- The ‘_provider’ parameter of the /login/ CGI :
/login/?_provider=%00<<<<"brines%20>>>
-------- output -------Content-Length: 27094
Connection: keep-alive
X-Indico-URL: /login/?_provider=%00<<<<"brines%20>>>
-----------------------+ The ‘sessions’ parameter of the /event/222/attachments/package CGI :
/event/222/attachments/package?sessions=%00<<<<"brines%20>>>
-------- output -------Content-Length: 27195
Connection: keep-alive
X-Indico-URL: /event/222/attachments/package?sessions=%00<<<<"brines%20>
(and more similar to this - I can post this section of the pdf report if interested). When I put these URLs in the browser, indico shows “Bad Request NUL byte found in query data”.
The report says to contact the vendor for an update.
Can anyone comment on this? Is this an actual problem?
Regards,
Chris
We already set this header in management areas, but not on display pages since people may want to embed those in iframes.
The NUL error is harmless and can be safely ignored.
The HTML injection appears to be a false positive, since it seems to detect the URL being echoed in the X-Indico-URL header as injection - but since that header is supposed to contain the URL, it is not actually injection nor harmful.
If there are any other warnings (that aren’t X-Indico-URL “injections”); Could you email the PDF to indico-team@cern.ch? While it looks like false positives, we’d prefer to not have such a report public before verifying that there are indeed no real security issues.
Thanks. All the warnings are X-Indico-URL “injections”. I’ll email that part of the report in any case.
Regards,
Chris
Hi Chris,
I am also interested in the HTML injection vulnerability part. Do you have any update on this?
- The ‘detail’ parameter of the /event/34/event.ics CGI :
/event/34/event.ics?detail=<"rcwztx%0A>
-------- output --------
Content-Disposition: inline; filename=event.ics
Cache-Control: no-cache, private
X-Indico-URL: /event/34/event.ics?detail=<"rcwztx%0A>
Strict-Transport-Security: max-age=63072000
X-Frame-Options: SAMEORIGIN
There is no vulnerability with this header.
So this is indeed a false positive warning? I am deploying Indico within our school network and in order to open it up to the internet, I will need to fix all the warning. Is there a way that I can avoid this warning? I completely understand that this is indeed a false positive. And thank you for the wonderful software.
Like I said, it is a false positive. This header simply echoes back the current URL. If you have someone telling you that you need to fix it, feel free to direct them to us, so we can explain directly to them why there is no danger in this header (or even better, have them explain why they think this is an issue).