[SATLUG] My new site...would like some feedback
Hector Bojorquez
hector.bojorquez at gmail.com
Mon Oct 9 15:05:41 CDT 2006
ooo doggy... here comes the Plone/Zope jihadist!
On 10/9/06, Justizin <justizin at siggraph.org> wrote:
>
> On 10/9/06, Hector Bojorquez <hector.bojorquez at gmail.com> wrote:
> > Joomla/Mambo .... Good useful CMS software.
> > But....Crackers can own your box if you're not careful--- even if you
> take
> > all the "usual" precautions.
>
> Own your box or your website? I suppose any system which allows users
> to log in and edit content and manage other aspects of the site can be
> owned by someone, somehow.
>
> I feel pretty confident in saying that noone would ever own your box
> because you run a Zope based CMS. If this is really a problem, it's
> another good reason for anyone using something like Joomla or Mambo to
> look at using something like Plone on Zope:
>
> http://plone.org/
>
> > Keep an eye out for all updates.....secunia.org does a decent job of
> sending
> > alerts. Of course Joomla/Mambo does too... but sometimes you have to
> keep a
> > close eye on forums in order to see potential problems coming.
>
> I won't say we've never had problems, but the last problem we had was
> basically that russian spammers learned how to script login to our
> sites, create accounts, and create link spam using member content
> areas. A lot of plone sites do not allow member content, at least
> from newly created anonymous users, but for some sites, including
> plone.org, this was a problem.
>
> Nothing like owning, though. The biggest problem is that it made our
> sites run really slow to be processing thousands of scripted account
> creations and bogus publishing per day.
>
> same could happen to, say, deviantart.com. The biggest thing we fixed
> was to check for valid image content in the user image field using the
> Python Imaging Library[0], as they were trying some sort of XSS attack
> by putting javascript in the image field. Maybe this allowed it to
> load as trusted code in some browsers? Not sure.
>
> Anyway, noone has ever used Plone to root antiloop.plone.org.
>
> > Configure your php.ini NOT to accept the passthru directive...you CAN
> have
> > php.ini in your directories if this is a shared server-- But
> > httpd must be restarted for changes to take place. (there are many php
> > directives that should be banned from use but banning mkdir, chown and
> > chmod make it difficult to install modules and components... the best
> thing
> > to do, if you have ssh access, is to shutdown httpd, allow ALL the
> > directives (default), restart httpd, install what you need,
> stop httpd,
> > disallow almost everything that is potentially dangerous, and restart
> > httpd.ini
>
> Passthrough directive? Excuse me if I've distanced myself from the
> annals of php.ini in recent years. ;)
>
> > Keep an eye on your logs
> > If you install SEF components or Facile form components...be VERY
> careful
> > that you are installing the latest version and that you are aware of any
> > security problems.... BOTH of those components left boxes WIDE open a
> few
> > months ago.... all is well now though
> >
>
> What sort of vulnerabilities are these? I guess it's hard to
> apologize for asking you to support my anti-marketing efforts for a
> product you use, but I wonder.
>
> I just tell people to use Plone because PHP sucks. ;)
>
> [0] I'm hoping we replace this with ImageMagick in the next year or
> so, or at least provide the option of using it. PIL doesn't support a
> lot of valid image types which browsers support.
>
> --
> Justizin, Independent Interactivity Architect
> ACM SIGGRAPH SysMgr, Reporter
> http://www.siggraph.org/
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to unsubscribe
> Powered by Rackspace (www.rackspace.com)
>
More information about the SATLUG
mailing list