If you're running galaxy with REMOTE_USER authentication, do you have local users on the same box?
If you do, have you done anything to mitigate administrator impersonation in galaxy?
We currently have galaxy deployed on a box that acts as a classroom server. I was poking around and noticed that it was trivial to make curl requests with the REMOTE_USER variable set, and impersonate an admin.
I've been considering solutions to this and arrived on the conclusion that the interface should require a "password" in addition to REMOTE_USER being set. That is, a header with a long random string should be required to be set in the reverse proxy configs, as well as being checked on the galaxy side much like how REMOTE_USER is checked.
-- Eric Rasche
Center for Phage Technology
Texas A&M Univesity
College Station, TX 77843
Ph: <a href="http://tel:4046922048">4046922048
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at: