[ensembl-dev] XSS Vulnerability in web frontend

Anne Lyle annelyle at ebi.ac.uk
Thu Oct 9 09:27:53 BST 2014

Hi Ben

The Ensembl webcode is included in the Sanger Institute’s regular security audit, but of course problems can creep in between audits.

If you could send the details of the security loophole directly to us at ensembl-webteam at sanger.ac.uk, we can look into it further.



Anne Lyle
Ensembl Web Developer
European Bioinformatics Institute (EMBL-EBI)
East Wing, A3-118, Wellcome Trust Genome Campus, Hinxton, Cambridge, UK

Phone: +44 (0)1223 494178
Email: annelyle at ebi.ac.uk
Web: www.ensembl.org

On 9 Oct 2014, at 03:53, Ben Warren <Ben.Warren at plantandfood.co.nz> wrote:

> Hi All,
> I am trying to host an EnsEMBL instance which will be open to public access. I have been told(by a security audit) that there is a cross-site scripting vulnerability  in the EnsEMBL frontend.
> As far as I understand this could allow the web content to be altered by a URL with markup(HTML) code in it. Is this a risk I should be worried about? Is there some documentation regarding EnsEMBL web security which I should be reading?
> Kind Regards
> Benjamin
> The contents of this e-mail are confidential and may be subject to legal privilege.
>  If you are not the intended recipient you must not use, disseminate, distribute or
>  reproduce all or any part of this e-mail or attachments.  If you have received this
>  e-mail in error, please notify the sender and delete all material pertaining to this
>  e-mail.  Any opinion or views expressed in this e-mail are those of the individual
>  sender and may not represent those of The New Zealand Institute for Plant and
>  Food Research Limited.
> _______________________________________________
> Dev mailing list    Dev at ensembl.org
> Posting guidelines and subscribe/unsubscribe info: http://lists.ensembl.org/mailman/listinfo/dev
> Ensembl Blog: http://www.ensembl.info/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ensembl.org/pipermail/dev_ensembl.org/attachments/20141009/6f8c7e60/attachment.html>

More information about the Dev mailing list