Applied Information Technologies

ITS Alerts Unavailable

Wed, 13 Mar 2013 10:53:53 -0500

On Monday, March 11, 2013 at 6:27 p.m., AIT staff disabled the ITS Alerts website to prevent further exposure of a security vulnerability discovered earlier that day. In its place, a static placeholder page was added to give status information as to the progress of service restoration.

By 5:10pm, Tuesday, March 12, the rss files had been restored.

The security vulnerability was a form of SQL injection. While a previous attempt at defeating SQL injection of end-client inputs had been installed, it was deemed insufficient against modern methods, and the site was taken down while a more suitable correction could be installed.

Analysis revealed that while a remote system made an attempt to verify the vulnerability, no data had been disclosed; any data that would have been disclosed was either public information, or otherwise not sensitive. Further, the SQL injection vector did not have permission to modify any data due to least privilege policy.

When the service is restored, all original functionality and data will be intact, except for, of course, the vulnerability.

Please view the ITS Alerts site for updates as they become available.

Addendum (2013/Mar/13 1:07 p.m.): alert-2633 was created as the permanent alert message describing this service outage.

Dirapps Certificate Change on March 7, 2013

Thu, 28 Feb 2013 13:26:41 -0500

On March 7, 2013, the dirapps.aset.psu.edu certificate will be updated, per ITS Alert #2617 http://alerts.its.psu.edu/alert-2617. The certificate authority is changing from Thawte to Comodo.

WebAccess: Registrations suspended 12/21-1/3

Thu, 13 Dec 2012 22:30:13 -0500

WebAccess registrations received after 5 p.m. on Thursday, Dec. 20, will not be processed until Friday, Jan. 4, 2013.

WebAccess QA follow-up: new hostname/port number

Wed, 26 Sep 2012 17:57:07 -0500

For the QA service, the old hostname/port combination (cosign.aittest.psu.edu/6663) have been shut down.

WebAccess: old hostname and port being shut down 2013/1/2

Wed, 26 Sep 2012 13:43:13 -0500

On January 2, 2013, the WebAccess old configuration hostname and port (webaccess.psu.edu, port 6663) to which Cosign filters connect to validate cookies, is being shut down. The website, https://webaccess.psu.edu/, will remain the same. An alternate configuration is available …

Announcement: CosignModule 3.1.1 for IIS7 released

Wed, 22 Aug 2012 11:42:13 -0500

The following is from this message; websites using CosignModule should be upgraded:

WebAccess: Cosign filter configuration change

Mon, 09 Jul 2012 17:00:13 -0500

WebAccess protected websites are requested to change their Cosign filter configuration well before August 16, 2012. …

WebAccess QA: new hostname/port number

Mon, 25 Jun 2012 16:44:13 -0500

As a solution to the CosignModule's IPv6 bug, and to provide some flexibility in future configurations, we're switching to a new hostname and port number for Cosign filters to use.

Re: WebAccess QA: IPv6 testing

Wed, 23 May 2012 17:33:13 -0500

QA testing has revealed a problem with CosignModule (IIS 7).

Non user accounts in UCS

Tue, 22 May 2012 10:30:05 -0500

There are a number of options for non user accounts in UCS (and outside of UCS). What you request depends on the problem you are trying to solve. Below is a list and brief description of the options and how you get them.

www.work.psu.edu: Summer 2012 changes

Fri, 18 May 2012 10:43:47 -0500

On 22 May, 2012, during the ITS maintenance window (5:00–7:00 a.m.), ITS will update the www.work.psu.edu splash page and dashboard.

WebAccess QA: IPv6 testing

Mon, 14 May 2012 16:20:13 -0500

The WebAccess QA service now has IPv6 addresses (for browsers), please help test.

WebAccess: Systems on new hardware

Thu, 29 Mar 2012 16:40:13 -0500

During the maintenance window today (March 29, 2012), the WebAccess production servers were moved to a newer hardware platform, the same that has been in use by the WebAccess QA servers.

The moves were accomplished using the platform's live migration capability: no downtime was necessary.

WebAccess: Upgrading web server

Thu, 29 Mar 2012 15:57:13 -0500

A phased upgrade of the web server software used by the WebAccess production systems will begin on Saturday, March 31, 2012.

WebAccess QA: testing new web server

Thu, 22 Mar 2012 16:49:13 -0500

The WebAccess QA servers are using a new web server: please help us test it.