You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Security.MD
+3-2Lines changed: 3 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -12,15 +12,16 @@ OpenCATS uses MD5 hashing to store passwords. This will be replaced in future ve
12
12
13
13
### XSS
14
14
15
-
The main vector for [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks is via the career portal (which is disabled by default). htmlspecialchars is used to protect career portal form submissions. Back-end (non-public) web-pages remain vulnerable to XSS. This will be deployed in future releases.
15
+
The main vector for [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks is via the career portal (which is disabled by default). htmlspecialchars is used to protect career portal form submissions. Back-end (non-public) web-pages remain vulnerable to XSS. This internal page protection was deployed in v0.9.7.2
16
16
17
17
### Malicious uploads
18
18
19
19
The OpenCATS career portal permits resume uploads. Please review and configure .htaccess as per the [security guidance](https://documentation.opencats.org/technical-configuration-options/vital-security-restrict-access-to-upload-folders-.htaccess) to restrict malicious uploads.
20
+
Since version 0.9.7 this is no longer required, as a whitelist of 'good' filetypes is used during upload. However, htaccess restrictions and file permissions should be reviewed and deployed.
20
21
21
22
### Composer
22
23
23
-
Composer vulnerabilities are released often and will require a review of the Composer.lock file to move to known good versions of dependencies. Other dependencies within the Composer requiements are needed only for testing and can be removed from produciton systems. These remain to be documented.
24
+
Composer vulnerabilities are released often and will require a review of the Composer.lock file to move to known good versions of dependencies. Other dependencies within the Composer requiements are needed only for testing and can be removed from produciton systems. These development packages are removed from the releases since version 0.9.7.2, however if you pull in dependencies by using composer (rather than use the releases - ensure you use the --no-dev option as documented here https://documentation.opencats.org/#which-package-to-install)
0 commit comments