Security Scan issues

ebellempire March 28, 2014

Hi,

I'm working with a government agency that requires security scans for new sites. Using this testing suite, they've identified a number of issues affecting Omeka.

  1. Autocomplete on email/password-related inputs...
    • admin login and forgot-password forms
    • Guest User login, register, forgot-password forms
  2. Cross-frame scripting on admin login forms

To address item #1, I've found it most expedient to use Javascript to add "autocomplete=off" as needed within custom theme templates (for user-facing forms) and via plugin (for admin-related forms). It would admittedly probably be better to filter the forms' HTML output. I'd appreciate any tips to that end.

As for issue #2, perhaps someone can offer some details on how best to fix it as I'm not entirely sure where to start.

Cheers -- E

John Flatness March 28, 2014

For cross-frame scripting stuff, it may depend on the specific tool as to what it'll count as "secure."

Your main options are adding an X-Frame-Options header to prevent the pages from being contained in a frame, or adding "framebusting" Javascript that accomplishes basically the same thing. OWASP has some explanation and examples of the various options.

ebellempire March 31, 2014

Thanks John. Looks like the Frame Breaking Script fix was enough to pass these particular security requirements.