Hi Scott,

Serious security problems should not be fixed via pull request - please responsibly disclose these by e-mailing them (with or without patches) to galaxy-lab@lists.galaxyproject.org. The Galaxy core development team will issue patches to public servers before announcing the issue to ensure there is time to patch and highlight these fixes widely. We will provide you credit for the discovery when publicly disclosing the issue.

-Dannon

On Tue, Aug 11, 2015 at 10:16 AM, Scott Szakonyi <Scott.B.Szakonyi.1@nd.edu> wrote:
Hello all,

In testing our servers for security vulnerabilities, we've detected some cross site scripting and SQL injection problem on our Galaxy server. Is that something that should be reported as a bug/problem? I did search the Trello board but didn't find any open security related items.

Thanks!

--
Scott B. Szakonyi
Research Programmer

Center for Research Computing
107 Information Technology Center
Notre Dame, IN 46556
http://crc.nd.edu

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/