We are testing a WebAccess configuration change which will remove the need for the most common type of registration.
On Monday, March 11, 2013 at 6:27 p.m., AIT staff disabled the ITS Alerts website to prevent further exposure of a security vulnerability discovered earlier that day. In its place, a static placeholder page was added to give status information as to the progress of service restoration.
By 5:10pm, Tuesday, March 12, the rss files had been restored.
The security vulnerability was a form of SQL injection. While a previous attempt at defeating SQL injection of end-client inputs had been installed, it was deemed insufficient against modern methods, and the site was taken down while a more suitable correction could be installed.
Analysis revealed that while a remote system made an attempt to verify the vulnerability, no data had been disclosed; any data that would have been disclosed was either public information, or otherwise not sensitive. Further, the SQL injection vector did not have permission to modify any data due to least privilege policy.
When the service is restored, all original functionality and data will be intact, except for, of course, the vulnerability.
Please view the ITS Alerts site for updates as they become available.
Addendum (2013/Mar/13 1:07 p.m.): alert-2633 was created as the permanent alert message describing this service outage.
On March 7, 2013, the dirapps.aset.psu.edu certificate will be updated, per ITS Alert #2617 http://alerts.its.psu.edu/alert-2617. The certificate authority is changing from Thawte to Comodo.
WebAccess registrations received after 5 p.m. on Thursday, Dec. 20, will not be processed until Friday, Jan. 4, 2013.
For the QA service, the old hostname/port combination (cosign.aittest.psu.edu/6663) have been shut down.
On January 2, 2013, the WebAccess old configuration hostname and port (webaccess.psu.edu, port 6663) to which Cosign filters connect to validate cookies, is being shut down. The website, https://webaccess.psu.edu/, will remain the same. An alternate configuration is available …
The following is from this message; websites using CosignModule should be upgraded:
WebAccess protected websites are requested to change their Cosign filter configuration well before August 16, 2012. …
As a solution to the CosignModule's IPv6 bug, and to provide some flexibility in future configurations, we're switching to a new hostname and port number for Cosign filters to use.