[Loris-dev] PSV-4804_Université McGill-979000_ Signalement de vulnérabilité par le CGCD _ 2024-09-25 #VM000675 (fwd)

Thu Sep 26 11:05:34 EDT 2024

Hi Folks,

what is your recommendation to mitigate this issue ?

this is Loris version 23.0.0 (Release Date: 2020-06-12), if I'm to trust the CHANGELOG.md file on Ubuntu 16.04.4 LTS

Unsure if this is maintained anymore but the person who was responsinle for it is a member of this mailing list - Alfredo Morales Pinzon I believe.

---
Sylvain Milot (sylvain at bic.mni.mcgill.ca, sylvain.milot at mcgill.ca)
IT Analyst / Research Systems Admin
McConnell Brain Imaging Centre / Montreal Neurological Institute
3801 University Street, Webster 2B, Room 206
Montreal, Qc., Canada, H3A 2B4
-------------- next part --------------
Hello Sylvain and Ivan,
The Government of Quebec's Centre Gouvernemental de Cyberd?fense discovered the vulnerability or vulnerabilities listed in the table below.

By law, McGill University is required to:

take action to address any vulnerabilities they find;
promptly reply back to them with a plan for resolving the issue(s).
As we have a limited timeframe to address the situation, could you please reply back to this email no later than Sep 27th  to confirm that you've either resolved the vulnerability, or provide us with your proposed plan and timeframe to do so? Due to our legal obligations, if the vulnerability has not been resolved after Nov. 25th  we will have to temporarily block external access to the service, system, or site (e.g. it will not be accessible to anyone from outside the McGill network).

Vulnerability Details:

Name:    ipmsa-loris.bic.mni.mcgill.ca
Address:  132.216.133.49

Vulnerability webpages :

Affected Items : https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/

ID PSV
Actif
Criticit?
Date de cr?ation de la PSV
Quel est l'impact du pr?judice maximal? (Ex?:???R?putation:?lev???)
Est-ce qu'un correctif est disponible? (oui/non)
PSV-4804
https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/
2- Moyenne
2024-09-25
Moyenne
OUI

1) Criticality : CVSS 6.5
2) Description : Cross-Site Scripting (XSS) attacks occur when data is included in dynamic content that is sent to a web user without checking for malicious content. The variety
                                  of XSS-based attacks is almost limitless, but they typically involve transmitting private data to the attacker or performing other malicious operations on the
                                  user's machine under the guise of the vulnerable site. The "from", "firstname", and "lastname" parameters have been found to be vulnerable to XSS HTML
                                  injection attacks. These parameters are used on the IPMSA account sign-up page.
3) Probability : After intercepting the request, the attacker can test the parameters to inject malicious code. This vulnerability is often exploited by attackers.
4) Impact : The attacker can inject malicious code or cause a redirect to a dangerous site. They can also exfiltrate information entered by the victim.
5) Proposed solution : Data from the form must be validated and sanitized on the server side before it is used or stored. The "from", "firstname" and "lastname" fields were used
                                               for injection, but it is important to validate and sanitize all fields in the form
6) Reference : OWASP Top Ten 2017 | A7:2017-Cross-Site Scripting (XSS) | OWASP Foundation<https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS).html>
                              https://www.cgisecurity.com/xss-faq.html

7) Details and proofs of concept :
    To demonstrate the execution of the JavaScript code, here are 3 links displaying an alert with the value 1:

ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last&from=testest.com"><script>alert`1`</script>&site=2&project<https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last&from=testest.com%22%3E%3Cscript%3Ealert%601%60%3C/script%3E&site=2&project>
[cid:image001.png at 01DB0FFD.F9755380]

ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first"><script>alert`1`</script>&lastname=last&from=testest.com&site=2&project<https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first%22%3E%3Cscript%3Ealert%601%60%3C/script%3E&lastname=last&from=testest.com&site=2&project>
[cid:image004.png at 01DB0FFE.E550CFF0]
ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last"><script>alert`1`</script>&from=testest.com&site=2&project<https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last%22%3E%3Cscript%3Ealert%601%60%3C/script%3E&from=testest.com&site=2&project>
[cid:image005.png at 01DB0FFE.E550CFF0]

Next steps:

Get help if needed: If you're not sure what to do, don't hesitate to reach out to your IT team or service provider. They can guide you through the steps to fix these issues.
In the future: It's crucial to proactively scan and address vulnerabilities promptly to keep your system secure.
Stay in touch: Once you've taken steps to fix things, let us know. We'll do our best to help if you need further assistance or have any questions.
Hope to hear from you soon,

Kindly find the attached file.

Best Regards,

Jaetaek Kim CISSP
IT Information Security Analyst
Infrastructure and Information Security (IIS)
T: 514-396-1036
Jaetaek.kim at mcgill.ca<mailto:Jaetaek.kim at mcgill.ca> | www.mcgill.ca/it<http://www.mcgill.ca/it>
805 Sherbrooke O. #200, Montr?al, QC, H3A 0B9
[IT Services logo w McGill Crest_tagline eng]
Get CyberSafe and Secure Your Journey. | www.mcgill.ca/cybersafe<http://www.mcgill.ca/cybersafe>

From: COCD <cocd at education.gouv.qc.ca<mailto:cocd at education.gouv.qc.ca>>
Sent: September 24, 2024 1:44 PM
To: Sylvain Hamel <sylvain.hamel at mcgill.ca<mailto:sylvain.hamel at mcgill.ca>>; Dennis Hayson Wong <hayson.wong at mcgill.ca<mailto:hayson.wong at mcgill.ca>>; Jacek Slaboszewicz <jacek.slaboszewicz at mcgill.ca<mailto:jacek.slaboszewicz at mcgill.ca>>
Cc: Alex Aragona <alex.aragona at mcgill.ca<mailto:alex.aragona at mcgill.ca>>
Subject: PSV-4804_Universit? McGill-979000_ Signalement de vuln?rabilit? par le CGCD _ 2024-09-25
Importance: Low

Bonjour,

Nous tenons ? vous informer que nous avons re?u un signalement du CGCD d'une vuln?rabilit? touchant l'un de vos actifs.

Nous avons d?pos? le rapport du signalement (PSV-4804) sur le Teams:
TM-SI-3-R?seaux-GTIR > Partage - Universit?s > 979000 - Universit? McGill > Signalement Vuln?rabilit? CGCD. <https://eduqc.sharepoint.com/sites/TM-SI-3-Reseaux-GTIR-Partage-Universits/Documents%20partages/Partage%20-%20Universit%C3%A9s/979000%20-%20Universit%C3%A9%20McGill/Signalement%20Vuln%C3%A9rabilit%C3%A9%20CGCD>

Selon le processus GMVI <https://eduqc.sharepoint.com/sites/TM-SI-3-Reseaux-GTIR/Documents%20partages/General/Processus%20GMVI%202022-V4.2-2022-06-22.pdf> , vous avez l?obligation de prendre en charge cette vuln?rabilit? et nous fournir les r?ponses aux questions ci-dessous au plus tard le: 27-09-2024

Sachant que la probabilit? de concr?tisation (Priorit?) est: Moyenne

En utilisant le tableau 1:
1. Quel est le type de pr?judice ayant l'impact le plus ?lev? ? (Exemple : Pr?judice caus? ? la r?putation)
2. Quelle est votre ?valuation du niveau d'impact du pr?judice s?lectionn?? (Exemple : ?lev?)

3. Est-ce qu'un correctif est disponible, sans d?veloppement interne?

Selon les tableaux 8 ? 10 et votre r?ponse ? la question 3 :
4. Quel est le d?lai de correction prescrit selon le processus GMVI? (2/8/15/30/45/60/90 jours)

Si vous avez des questions, n?h?sitez pas ? nous contacter.

Ce courriel est confidentiel et destin? exclusivement ? l'organisation propri?taire de l'actif cible. Si vous n'?tes pas le destinataire pr?vu et que vous avez re?u ce courriel par erreur, veuillez le supprimer imm?diatement et nous en aviser.

Responsable du traitement: Sofien Khayat
sofien.khayat.ext at education.gouv.qc.ca<mailto:sofien.khayat.ext at education.gouv.qc.ca>
[cid:image003.png at 01DB0FFC.7E789AD0]

Centre Op?rationnel de Cyberd?fense
Minist?re de l??ducation et Minist?re de l?Enseignement sup?rieur

Courriel : cocd at education.gouv.qc.ca<mailto:cocd at education.gouv.qc.ca>
T?l.: (418) 644-0602 poste : 4000

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/98fc623e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 6997 bytes
Desc: image002.jpg
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/98fc623e/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 17993 bytes
Desc: image003.png
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/98fc623e/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 20741 bytes
Desc: image001.png
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/98fc623e/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 33720 bytes
Desc: image004.png
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/98fc623e/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 26735 bytes
Desc: image005.png
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/98fc623e/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PSV-4804-979000.pdf
Type: application/pdf
Size: 687695 bytes
Desc: PSV-4804-979000.pdf
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/98fc623e/attachment-0001.pdf>