website issueshttps://code.greenhost.net/totem/website/-/issues2023-08-11T16:32:39Zhttps://code.greenhost.net/totem/website/-/issues/94Bangla language not available on https://learn.totem-project.org/courses2023-08-11T16:32:39ZRemie StronksBangla language not available on https://learn.totem-project.org/coursesHi Geoffrey,
On the landing page the Bangla language is available in the drop down menu but not on https://learn.totem-project.org/courses
Can you please add the Bangla language too? If you don't have a translation then you can find it...Hi Geoffrey,
On the landing page the Bangla language is available in the drop down menu but not on https://learn.totem-project.org/courses
Can you please add the Bangla language too? If you don't have a translation then you can find it in transifex.
Also, we would like to see the "BN" shown in Bangla if possible. Same as with Arabic for example.
Thanks!
From the 4th of August until the 14th of August I am on a holiday so you might need to contact Paco via email. If you have extra questions that is.Geoffrey Preud'hommeGeoffrey Preud'hommehttps://code.greenhost.net/totem/website/-/issues/93Connect the version Bangla of "Explore our courses" button to all the courses...2023-08-02T13:19:19ZRemie StronksConnect the version Bangla of "Explore our courses" button to all the courses in Bangla.The button does work in all languages except for Bangla.
It's the buttons below I am talking about.
![Screenshot_from_2023-08-02_14-10-39](/uploads/212523383a7480b78620c1943039a980/Screenshot_from_2023-08-02_14-10-39.png)
![Screensho...The button does work in all languages except for Bangla.
It's the buttons below I am talking about.
![Screenshot_from_2023-08-02_14-10-39](/uploads/212523383a7480b78620c1943039a980/Screenshot_from_2023-08-02_14-10-39.png)
![Screenshot_from_2023-08-02_14-13-23](/uploads/4a164daa70dbc789175a4566df6fee00/Screenshot_from_2023-08-02_14-13-23.png)Remie StronksRemie Stronks2023-08-03https://code.greenhost.net/totem/website/-/issues/89Update Icon set on website2021-12-09T14:07:12ZSylvain MignotUpdate Icon set on websitehttps://code.greenhost.net/totem/website/-/issues/88GHT2-015 --- Outdated and Vulnerable Nginx Web server2022-02-11T11:40:51ZMaarten de WaardGHT2-015 --- Outdated and Vulnerable Nginx Web server### 4.15 GHT2-015 --- Outdated and Vulnerable Nginx Web server
Vulnerability ID: GHT2-015
Retest status:
Vulnerability type: Outdated Software
Threat level: Low
##### Description: {#description-14 .title-findingsection}
An outdated...### 4.15 GHT2-015 --- Outdated and Vulnerable Nginx Web server
Vulnerability ID: GHT2-015
Retest status:
Vulnerability type: Outdated Software
Threat level: Low
##### Description: {#description-14 .title-findingsection}
An outdated Nginx web server was found that revealed its version number in the banner.
##### Technical description: {#technical-description-14 .title-findingsection}
According to the banner, the server is running Nginx version 1.19.2: ![image](/uploads/756fc9e5fefc73c3fcff1b79e5959995/image.png)
This version is vulnerable to [CVE-2021-23017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017){.link} which is a security issue in the Nginx resolver.
##### Impact: {#impact-14 .title-findingsection}
* This might allow an attacker who is able to forge UDP packets from the DNS server to cause a 1-byte memory overwrite, resulting in a worker process crash or other problem. Other issues could lead to Denial of Service.
##### Recommendation: {#recommendation-14 .title-findingsection}
* Upgrade to the latest version.
* Have a good update policy implemented.
* Do not display the server name and especially the version number in the banner.https://code.greenhost.net/totem/website/-/issues/87GHT2-009 --- Middleman improper input validation results in XSS2021-12-24T13:15:30ZMaarten de WaardGHT2-009 --- Middleman improper input validation results in XSS### 4.9 GHT2-009 --- Middleman improper input validation results in XSS
Vulnerability ID: GHT2-009
Retest status:
Vulnerability type: XSS
Threat level: Moderate
##### Description: {#description-8 .title-findingsection}
Middleman is...### 4.9 GHT2-009 --- Middleman improper input validation results in XSS
Vulnerability ID: GHT2-009
Retest status:
Vulnerability type: XSS
Threat level: Moderate
##### Description: {#description-8 .title-findingsection}
Middleman is used to generate the totem-project.org website and does not properly validate input, resulting in XSS.
##### Technical description: {#technical-description-8 .title-findingsection}
Adding the payload to the course description:
![image](/uploads/106d2b456ff38dab70aab5977186170e/image.png)
The payload is added: ![image](/uploads/24529631c16b019c70c2891354b9af67/image.png)
When running the rake script (this is a manual process initiated by a highly privileged SSH user) Middleman will be used to generate the new website, which will contain our payload that will redirect everyone that visits totem-project.org to the URL set in the payload (in this case radicallyopensecurity.com):
![image](/uploads/6b0c320daf2e35522e63b7a420a0117c/image.png)
![image](/uploads/384333df26be797b3eda7db787909187/image.png)
Note that the title field allowed dangerous input as well, but the Middleman conversion rejected the payload: ![image](/uploads/f38dfdd5dac4abe8061148db7a31297a/image.png)
##### Impact: {#impact-8 .title-findingsection}
* Users' browsers can be attacked just by running the application. A successful attack could lead to session hijacking, credential theft, or infecting the client's system with malware. Note that the threat level would have been higher if lower privileged users were able to create or modify the course descriptions; at the moment this is however only allowed by staff and admin users.
##### Recommendation: {#recommendation-8 .title-findingsection}
* All user input as well as output to users must be strictly filtered. Within these checks it is necessary to implement filter mechanisms that operate on a white list basis instead of a black list basis. It is recommended that parameters or input fields that can only consist of numerical values are only accepted by the server if they are in fact numeric. All checks have to be performed on the server and not on the client-side. To avoid cross-site scripting it is necessary to substitute special characters like `` [;()”´`,<>/] `` for their HTML equivalents. It is not sufficient to only filter special HTML tags like "script" because cross-site scripting vulnerabilities can be exploited through countless alternatives.
* More information can be found at: https://www.owasp.org/index.php/Cross_Site_Scriptinghttps://code.greenhost.net/totem/website/-/issues/79Add partners' tab/page2022-08-25T09:54:22ZSylvain MignotAdd partners' tab/pagePaco MensPaco Menshttps://code.greenhost.net/totem/website/-/issues/73host some static assets to include in emails2021-05-21T08:49:20ZMaarten de Waardhost some static assets to include in emailsSome emails need to include stuff like the Totem logo, a facebook logo, etc. We need to host them in a place that doesn't change (so not with an asset hash in the name)Some emails need to include stuff like the Totem logo, a facebook logo, etc. We need to host them in a place that doesn't change (so not with an asset hash in the name)https://code.greenhost.net/totem/website/-/issues/63Local middleman server produces warnings: URI.unescape is obsolete2021-09-16T12:15:28ZRemon HuijtsLocal middleman server produces warnings: URI.unescape is obsoleteA middleman update might fix this. See also: https://github.com/middleman/middleman/issues/2312A middleman update might fix this. See also: https://github.com/middleman/middleman/issues/2312https://code.greenhost.net/totem/website/-/issues/62Setting a key that conflicts with a built-in method2021-09-16T12:16:17ZRemon HuijtsSetting a key that conflicts with a built-in methodThe build output contains many warnings like this:
```
== Request: /index.html
W, [2020-09-07T09:46:21.786195 #45] WARN -- : You are setting a key that conflicts with a built-in method Middleman::Util::EnhancedHash#count defined in Enu...The build output contains many warnings like this:
```
== Request: /index.html
W, [2020-09-07T09:46:21.786195 #45] WARN -- : You are setting a key that conflicts with a built-in method Middleman::Util::EnhancedHash#count defined in Enumerable. This can cause unexpected behavior when accessing the key as a property. You can still access the key via the #[] method.
W, [2020-09-07T09:46:22.622431 #45] WARN -- : You are setting a key that conflicts with a built-in method Middleman::Util::EnhancedHash#count defined in Enumerable. This can cause unexpected behavior when accessing the key as a property. You can still access the key via the #[] method.
== Finishing Request: index.html (2.05s)
create build/index.html
```
See also https://github.com/hashie/hashie/issues/423
I did not investigate yet whether our code is at fault or a library needs updating to fix this.