[Loris-dev] PSV-4804_Université McGill-979000_ Signalement de vulnérabilité par le CGCD _ 2024-09-25 #VM000675 (fwd)
Dave MacFarlane
dave.macfarlane at mcin.ca
Thu Sep 26 11:31:11 EDT 2024
Hi Sylvain,
LORIS 23 is a very old version of LORIS that isn't supported anymore. The
current release is v26. The page in question was completely rewritten for
LORIS v24. (I just checked to make sure the current release doesn't appear
to be vulnerable) but I'm not sure who is responsible for
ipmsa-loris.bic.mni.mcgill.ca.
I think addressing this would either require upgrading the version or LORIS
on that instance or someone involved in ipmsa to do some development on an
unsupported version of LORIS to try and fix the issue. The former is
probably more advisable.
On Thu, Sep 26, 2024 at 11:06 AM Sylvain MILOT <sylvain at bic.mni.mcgill.ca>
wrote:
>
> Hi Folks,
>
> what is your recommendation to mitigate this issue ?
>
> this is Loris version 23.0.0 (Release Date: 2020-06-12), if I'm to trust
> the CHANGELOG.md file on Ubuntu 16.04.4 LTS
>
> Unsure if this is maintained anymore but the person who was responsinle
> for it is a member of this mailing list - Alfredo Morales Pinzon I believe.
>
> ---
> Sylvain Milot (sylvain at bic.mni.mcgill.ca, sylvain.milot at mcgill.ca)
> IT Analyst / Research Systems Admin
> McConnell Brain Imaging Centre / Montreal Neurological Institute
> 3801 University Street, Webster 2B, Room 206
> Montreal, Qc., Canada, H3A 2B4
>
> Hello Sylvain and Ivan,
>
> The Government of Quebec's Centre Gouvernemental de Cyberdéfense
> discovered the vulnerability or vulnerabilities listed in the table below.
>
>
>
> By law, McGill University is required to:
>
>
>
> take action to address any vulnerabilities they find;
>
> promptly reply back to them with a plan for resolving the issue(s).
>
> As we have a limited timeframe to address the situation, could you please
> reply back to this email no later than Sep 27th to confirm that you've
> either resolved the vulnerability, or provide us with your proposed plan
> and timeframe to do so? Due to our legal obligations, if the vulnerability
> has not been resolved after Nov. 25th we will have to temporarily block
> external access to the service, system, or site (e.g. it will not be
> accessible to anyone from outside the McGill network).
>
>
>
> Vulnerability Details:
>
>
>
> Name: ipmsa-loris.bic.mni.mcgill.ca
>
> Address: 132.216.133.49
>
>
>
> Vulnerability webpages :
>
>
>
> Affected Items :
> https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/
>
>
>
>
>
> *ID PSV *
>
> *Actif *
>
> *Criticité *
>
> *Date de création de la PSV *
>
> *Quel est l'impact du préjudice maximal? (Ex** :** «** Réputation:Élevé** »)
> *
>
> *Est-ce qu'un correctif est disponible? (oui/non) *
>
> PSV-4804
>
> https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/
>
> 2- Moyenne
>
> 2024-09-25
>
> Moyenne
>
> OUI
>
>
>
>
>
> 1) Criticality : CVSS 6.5
>
> 2) Description : Cross-Site Scripting (XSS) attacks occur when data is
> included in dynamic content that is sent to a web user without checking for
> malicious content. The variety
>
> of XSS-based attacks is almost
> limitless, but they typically involve transmitting private data to the
> attacker or performing other malicious operations on the
>
> user's machine under the guise of the
> vulnerable site. The "from", "firstname", and "lastname" parameters have
> been found to be vulnerable to XSS HTML
>
> injection attacks. These parameters are
> used on the IPMSA account sign-up page.
>
> 3) Probability : After intercepting the request, the attacker can test the
> parameters to inject malicious code. This vulnerability is often exploited
> by attackers.
>
> 4) Impact : The attacker can inject malicious code or cause a redirect to
> a dangerous site. They can also exfiltrate information entered by the
> victim.
>
> 5) Proposed solution : Data from the form must be validated and sanitized
> on the server side before it is used or stored. The "from", "firstname" and
> "lastname" fields were used
>
> for injection, but it is
> important to validate and sanitize all fields in the form
>
> 6) Reference : OWASP Top Ten 2017 | A7:2017-Cross-Site Scripting (XSS) |
> OWASP Foundation
> <https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS).html>
>
> https://www.cgisecurity.com/xss-faq.html
>
>
>
> 7) Details and proofs of concept :
>
> To demonstrate the execution of the JavaScript code, here are 3 links
> displaying an alert with the value 1:
>
>
>
>
> ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last&from=testest.com"><script>alert`1`</script>&site=2&project
> <https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last&from=testest.com%22%3E%3Cscript%3Ealert%601%60%3C/script%3E&site=2&project>
>
>
>
>
>
>
> ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first"><script>alert`1`</script>&lastname=last&from=testest.com&site=2&project
> <https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first%22%3E%3Cscript%3Ealert%601%60%3C/script%3E&lastname=last&from=testest.com&site=2&project>
>
>
>
> ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last"><script>alert`1`</script>&from=testest.com&site=2&project
> <https://ipmsa-loris.bic.mni.mcgill.ca/login/request-account/?firstname=first&lastname=last%22%3E%3Cscript%3Ealert%601%60%3C/script%3E&from=testest.com&site=2&project>
>
>
>
> Next steps:
>
>
>
> Get help if needed: If you're not sure what to do, don't hesitate to reach
> out to your IT team or service provider. They can guide you through the
> steps to fix these issues.
>
> In the future: It's crucial to proactively scan and address
> vulnerabilities promptly to keep your system secure.
>
> Stay in touch: Once you've taken steps to fix things, let us know. We'll
> do our best to help if you need further assistance or have any questions.
>
> Hope to hear from you soon,
>
>
>
> Kindly find the attached file.
>
>
>
> Best Regards,
>
>
>
> *Jaetaek Kim **CISSP*
>
> IT Information Security Analyst
>
> Infrastructure and Information Security (IIS)
>
> T: 514-396-1036
>
> Jaetaek.kim at mcgill.ca | www.mcgill.ca/it
>
> 805 Sherbrooke O. #200, Montréal, QC, H3A 0B9
>
> [image: IT Services logo w McGill Crest_tagline eng]
>
> *Get CyberSafe and Secure Your Journey. *| www.mcgill.ca/cybersafe
>
>
>
>
>
> *From:* COCD <cocd at education.gouv.qc.ca>
> *Sent:* September 24, 2024 1:44 PM
> *To:* Sylvain Hamel <sylvain.hamel at mcgill.ca>; Dennis Hayson Wong <
> hayson.wong at mcgill.ca>; Jacek Slaboszewicz <jacek.slaboszewicz at mcgill.ca>
> *Cc:* Alex Aragona <alex.aragona at mcgill.ca>
> *Subject:* PSV-4804_Université McGill-979000_ Signalement de
> vulnérabilité par le CGCD _ 2024-09-25
> *Importance:* Low
>
>
>
> Bonjour,
>
> Nous tenons à vous informer que nous avons reçu un signalement du CGCD
> d'une vulnérabilité touchant l'un de vos actifs.
>
> Nous avons déposé le rapport du signalement *(PSV-4804)* sur le Teams:
> TM-SI-3-Réseaux-GTIR > Partage - Universités > 979000 - Université McGill
> > Signalement Vulnérabilité CGCD.
> <https://eduqc.sharepoint.com/sites/TM-SI-3-Reseaux-GTIR-Partage-Universits/Documents%20partages/Partage%20-%20Universit%C3%A9s/979000%20-%20Universit%C3%A9%20McGill/Signalement%20Vuln%C3%A9rabilit%C3%A9%20CGCD>
>
> Selon le processus GMVI
> <https://eduqc.sharepoint.com/sites/TM-SI-3-Reseaux-GTIR/Documents%20partages/General/Processus%20GMVI%202022-V4.2-2022-06-22.pdf>,
> vous avez l’obligation de prendre en charge cette vulnérabilité et nous
> fournir les réponses aux questions ci-dessous au plus tard le:
> *27-09-2024*
>
> Sachant que la probabilité de concrétisation (Priorité) est:* Moyenne *
>
> En utilisant le tableau 1:
> 1. Quel est le type de préjudice ayant l'impact le plus élevé ? (Exemple :
> Préjudice causé à la réputation)
> 2. Quelle est votre évaluation du niveau d'impact du préjudice
> sélectionné? (Exemple : Élevé)
>
> 3. Est-ce qu'un correctif est disponible, sans développement interne?
>
> Selon les tableaux 8 à 10 et votre réponse à la question 3 :
> 4. Quel est le délai de correction prescrit selon le processus GMVI?
> (2/8/15/30/45/60/90 jours)
>
>
> Si vous avez des questions, n’hésitez pas à nous contacter.
>
>
> Ce courriel est confidentiel et destiné exclusivement à l'organisation
> propriétaire de l'actif cible. Si vous n'êtes pas le destinataire prévu et
> que vous avez reçu ce courriel par erreur, veuillez le supprimer
> immédiatement et nous en aviser.
>
> Responsable du traitement: Sofien Khayat
> sofien.khayat.ext at education.gouv.qc.ca
>
> Centre Opérationnel de Cyberdéfense
> Ministère de l’Éducation et Ministère de l’Enseignement supérieur
>
> Courriel : cocd at education.gouv.qc.ca
> Tél.: (418) 644-0602 poste : 4000
>
> _______________________________________________
> Loris-dev mailing list
> Loris-dev at bic.mni.mcgill.ca
> https://mailman.bic.mni.mcgill.ca/mailman/listinfo/loris-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/659c6288/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 6997 bytes
Desc: not available
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/659c6288/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 17993 bytes
Desc: not available
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/659c6288/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 20741 bytes
Desc: not available
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/659c6288/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 33720 bytes
Desc: not available
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/659c6288/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 26735 bytes
Desc: not available
URL: <http://mailman.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20240926/659c6288/attachment-0007.png>
More information about the Loris-dev
mailing list