-
Notifications
You must be signed in to change notification settings - Fork 9
CSESoc Website Vulnerable to OpenSSL Heartbleed Vulnerability #19
Comments
The update depends on being able to update linux-headers-server, which according to evgeny could break the server (its very fragile). What is the vulnerability to CSESoc by not patching the issue until we deploy the new site? |
Is there any fix other than upgrading openssl?
|
Upgrading OpenSSL will definitely fix the bug, but at the same time, will require a restart of the server and may lead to server breakage as you said. There may be OpenSSL alternatives for our case, but all of them will most likely require a server restart also, and they also may break the server. If you're absolutely certain that you can't upgrade the packages, then you can potentially try and get Cloudflare with SSL (paid), which means that the CSESoc servers will use Cloudflares SSL proxy instead (which have been patched). That is one way we can mitigate without restart or server modification - however it would be costly. |
Given we store very little sensitive data, its probably not worth it. We
|
That's fine, the only thing I'd recommend is making sure that there are no payment forms/any other forms which could contain really sensitive data. Since I can sniff post data remotely, anything you enter on csesoc's site is open to the world. Anyways, looking forward to the new site! 😄 |
We shouldn't be using any of the payment until the new site is open - I
|
No worries - thanks for helping co-ordinate this 😃 |
http://i.imgur.com/BT5WytM.png
The heartbleed vulnerability (heartbleed.com) leads to information disclosure from the server, if the server has a vulnerable version of OpenSSL installed.
In this case, the best way to mitigate this vulnerability would be to install the newest version of OpenSSL which has patched this issue.
This allows for the remote viewing or arbitrary HTTP data being sent to the server - including Cookies and POST data.
The script @ s3.jspenguin.org/ssltest.py can be used to test this.
The text was updated successfully, but these errors were encountered: