[Go-essp-tech] Fwd: esg-gateway security vulnerability

[Nathan Wilhelmi]

Hi Luca,

This is fixed per notes below in the release that went out today.

Thanks!

-Nate


On 10/25/2011 06:13 AM, Cinquini, Luca (3880) wrote:
> This is what I got yesterday from our SA, looks like a JS security flaw
> in YUI. Please let me know if it will be fixed in future versions of the
> gateway.
> thanks, Luca
>
> Begin forwarded message:
>
>> *From: *"Zimdars, Paul A (3880-Affiliate)"
>> <Paul.A.Zimdars at jpl.nasa.gov <mailto:Paul.A.Zimdars at jpl.nasa.gov>>
>> *Date: *October 24, 2011 5:41:10 PM MDT
>> *To: *"Cinquini, Luca (3880)" <Luca.Cinquini at jpl.nasa.gov
>> <mailto:Luca.Cinquini at jpl.nasa.gov>>
>> *Cc: *"Mattmann, Chris A (388J)" <chris.a.mattmann at jpl.nasa.gov
>> <mailto:chris.a.mattmann at jpl.nasa.gov>>, "sa at list.jpl.nasa.gov
>> <mailto:sa at list.jpl.nasa.gov> sa at list.jpl.nasa.gov
>> <mailto:sa at list.jpl.nasa.gov>" <sa at list.jpl.nasa.gov
>> <mailto:sa at list.jpl.nasa.gov>>
>> *Subject: **esg-gateway security vulnerability*
>>
>> Hi Luca,
>>
>> Please see the attached PDF which lists a security vulnerability on
>> the following URL:
>>
>> http://esg-gateway.jpl.nasa.gov/js/yui/2.8.0/build/connection/connection-min.js
>>
>> The vulnerability has been identified by JPL security as High. The
>> vulnerability is stated as "Flash Parameter allowScriptAccess is set
>> to Always". The fix is to change the following '<param
>> name="allowScriptAccess" value="always">' in:
>>
>> /usr/local/gateway/apache-tomcat/webapps/ROOT/js/yui/2.8.0/build/connection/connection-min.js
>>
>>
>> to:
>>
>> '<param name="allowScriptAccess" value="sameDomain">'
>>
>> In order to renew the PAR we will need to resolve this issue. We can
>> make the change or you can make the change. Please let us know what
>> you would like to do.
>>
>> Thanks,
>> Paul
>