The user creation and login script can be injected with executable javascript in Galaxy
Hello Galaxy-team, A galaxy instance is being hold on our server. But last week, an expert in security makes some tests on our server. He warned us that the user creation and login script can be injected with executable javascript in Galaxy, which may make our server vulnerable. He gives us a report of 3 pages (other issues including Non-SSL Password and cookie of Galaxy). We don't know whether it's serious and whether we need to fix these issues immediately. Is Galaxy going to update for issues? Or we need to modify them ourselves? Any suggestion is appreciated. Thanks! -- Hanfei Sun Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
Hanfei, I'd be happy to take a look at the report and share it with the rest of the team if you'd like to send it directly to me. Regarding SSL, this is definitely something that you can set up for your own instance, see the documentation for configuring proxies on the wiki http://wiki.g2.bx.psu.edu/Admin/Config/Performance/nginx%20Proxy. Thanks! -Dannon On Sep 24, 2012, at 12:01 AM, Hanfei Sun <ad9075@gmail.com> wrote:
Hello Galaxy-team,
A galaxy instance is being hold on our server. But last week, an expert in security makes some tests on our server. He warned us that the user creation and login script can be injected with executable javascript in Galaxy, which may make our server vulnerable.
He gives us a report of 3 pages (other issues including Non-SSL Password and cookie of Galaxy). We don't know whether it's serious and whether we need to fix these issues immediately. Is Galaxy going to update for issues? Or we need to modify them ourselves? Any suggestion is appreciated. Thanks!
-- Hanfei Sun Sent with Sparrow
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
participants (2)
-
Dannon Baker -
Hanfei Sun