Reg Geonetwork vulnerabilities in Acunetix

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Reg Geonetwork vulnerabilities in Acunetix

girishkgp
Hi,

      We have a geonetwork 2.10.3 running on apache tomcat 9. When it was
scanned using Accunetix for vulnerabilities, it gave the following
vulnerablities

*Application error message vulnerability*

location                                                      Numbers

/geonetwork/j_spring_security_check      1
/geonetwork/srv/eng/main.home              21
/geonetwork/srv/eng/xml.region.get          1

*HTML form without CSRF protection*

  location                                                      Numbers
/geonetwork/srv/eng/main.home              1

Kindly provide a solution to remove the vulnerabilities.
(Is there any settings to be modified in tomcat or in geonetwork
configuration?)


Thank You
Girish

_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Reply | Threaded
Open this post in threaded view
|

Re: Reg Geonetwork vulnerabilities in Acunetix

Jose Garcia
Hi Girish

Since GeoNetwork 3.4.x, it's supported CSRF protection. There are no plans
to backport that work to earlier versions of GeoNetwork, please check if
upgrading it's an option.

Regards,
Jose García

On Mon, Dec 30, 2019 at 6:43 AM Girish Kumar <[hidden email]> wrote:

> Hi,
>
>       We have a geonetwork 2.10.3 running on apache tomcat 9. When it was
> scanned using Accunetix for vulnerabilities, it gave the following
> vulnerablities
>
> *Application error message vulnerability*
>
> location                                                      Numbers
>
> /geonetwork/j_spring_security_check      1
> /geonetwork/srv/eng/main.home              21
> /geonetwork/srv/eng/xml.region.get          1
>
> *HTML form without CSRF protection*
>
>   location                                                      Numbers
> /geonetwork/srv/eng/main.home              1
>
> Kindly provide a solution to remove the vulnerabilities.
> (Is there any settings to be modified in tomcat or in geonetwork
> configuration?)
>
>
> Thank You
> Girish
>
> _______________________________________________
> GeoNetwork-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/geonetwork-users
> GeoNetwork OpenSource is maintained at
> http://sourceforge.net/projects/geonetwork
>


--











*Vriendelijke groeten / Kind regards,Jose García
<http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
(0)318 416664 <+31318416664>Please consider the environment before printing
this email.*

_______________________________________________
GeoNetwork-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork