We’ve upgrade to 3.1.1.2 but have security scan issues regarding Outdate jquery librarys (and issues associated with that) as well as CGI Generic Unseen Parameters Discovery. Can anyone shed an light on how we might resolve these?
Hi @loola,
We are not aware of any vulnerable libraries in the current OJS 3.x release, even though though they may not be entirely up to date.
As for the “CGI Generic Unseen Parameters Discovery”, I would suppose this is a particular complaint of whatever scanning tool you’re using – that message doesn’t make sense to me without further context. If you’re able to find a better description of the issue I can look into it further. Note that we’ve gone through several audits from third party auditing tool reports and generally these have a lot of false positives, as they make a lot of assumptions about the way a web application is written.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi,
Thanks for your reply. With regards to the CGI issue the scan gives the following description and solution:
Description: By sending requests with additional parameters such as ‘admin’, ‘debug’, or ‘test’ to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.
This behavior suggests that such a parameter, while unseen, are used by the affected application(s) and may enable an attacker to bypass authentication, read confidential data (like the source of the scripts), modify the behavior of the application(s) or conduct similar attacks to gain privileges.
Note that this script is experimental and may be prone to false positives.
Solution: Inspect the reported CGIs and, if necessary, modify them so that security is not based on obscurity.
See Also: http://projects.webappsec.org/Predictable-Resource-Location
So as you have said this might be a false positive.
Hi @loola,
Yes, speaking in general I can think of places where this would cause false positives. For example, the OAI-PMH specification requires that the server respond with an error condition when unknown parameters are provided, so the OJS implementation of the OAI-PMH interface will legitimately behave this way.
Regards,
Alec Smecher
Public Knowledge Project Team