Subject: | |
From: | |
Reply To: | |
Date: | Mon, 27 Jun 2011 08:19:43 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
I promise only to send this one one time (really!).
This release addresses the following Service Request and Error Report:
Service Request 83181
Asks that view-only access be provided for the Web Merit application. Users
with the new view-only access should be able to view anything within the
Merit Review/Input selection on the Merit Menu but should not be able to
modify or save any data, regardless of cycle status. They should have the
ability to navigate within the Merit Review/Input portion of the application and
view information on pop-up windows (e.g. cycle information, title information,
employee information).
Specifically, the SR asks for two types of view-only access:
• View-only access that is restricted to particular departments
• Universal view-only access
Error Report 2363
UCLA has reported that the Web Merit application has the following security
vulnerabilities:
1. The application does not adequately scrub user submitted data
which can potentially allow for cross-site scripting and cross-site request
forgery.
2. The application is susceptible to cross-site request forgery (CSRF).
3. In terms of application error diagnostics, when the application
encounters and error, it allows the user to see the stack trace; it should give
the user a reference that the support team can use to find the stack trace in
the application log. This is a minor threat but it is good practice to avoid
revealing internal application details to end users.
Release documents are at http://www.ucop.edu/payroll/REL2011/R1974
Please approve as soon as possible.
Thanks!
Christopher Scott
|
|
|