Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
The Trace method is enabled because of the Apache module, but it is not the
default in Debian, and it should not be enabled, for more information see the
following:
https://www.kb.cert.org/vuls/id/867593
Change-Id: I06a06ae679dbf7049f26a017125b61e5e38f6268
|
|
This is a first step mitigation until we can have a newer apache that
will allow us to specify dh parameters other than the default.
Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
|
|
#5103)
Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea
|
|
The LEAP web application can be displayed inside other pages using an HTML
iframe. Therefore, an attacker can embed parts of the LEAP application inside
of a webpage they control. They can then use special style properties to
disguise the embedded page. By tricking a user in to clicking in the iframe, the
attacker can coerce the user in to performing unintended actions within the LEAP
web application.
An attacker creates a website that embeds the LEAP web application in an iframe.
They then create an HTML /JavaScript game on the same page that involves
clicking and dragging sprites. When a user plays the game, they are in fact
dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app,
which is hidden behind the game using
As long as iframe embedding is not required in the normal usage of the
application, the X-Frame-Options header should be added to prevent browsers from
displaying the web application in frames on other origins.
This has also been set in the webapp
Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
|
|
. Disable ServerSignature
. Set ServerTokens Prod
. unset the X-Powered-By and X-Runtime apache headers
Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
|
|
This presents us with an interesting problem of deprecation. We need to manage
the removal of something that we previously installed in any released code. How
long we carry the puppet code that removes raises some interesting questions: do
we require that someone who deployed version 1 (where the apache ssl proxy was
deployed) of the platform upgrade first to version 2 (where we remove the apache
ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal
is no longer present) -- or do we allow people to skip versions?
|
|
|
|
|