Possible Major Security Problem

« 
Previous topic
|
General
|
Next topic
 »
Author Message

Paul Forsyth

Friday 24 October 2003 5:14:54 am

The javascript library used is here:

http://pajhome.org.uk/site/legal.html

Lars Holm Nielsen

Friday 24 October 2003 6:17:59 am

Hi,

I completely agree with Balazs, that if you want a secure site, then you should pump all traffic over SSL, or just the parts of the site which need to be secured. All other forms of javascript og digest security won't do the job (they all have some sort of weakness). It has nothing to do with going around a weakness of the application. The weakness is that someone doesn't know how to secure his/her site with SSL. This of course, can be solved by the community of eZ by contributing documentation on how to install eZ publish by using SSL.

Cheers,
Lars

A Sha

Friday 24 October 2003 9:42:31 am

Lars, there are many weaknesses, not "the" weakness.

Most users of eZPublish will not use SSL. This is one reason why it is important for eZPublish to provide good security by default.

Another reason is that there are some practical problems with requiring users to use SSL to solve security problems. One problem is that the users have to evaluate the security / speed tradeoffs themselves, but they are not necessarily experts in eZPublish so they won't know the security tradeoffs very well. Another problem is that it is very easy to mess up the installation of SSL in such a way so as to do nothing to aid security, especially if one tries to secure only part of the site (which is exactly what someone would want to do if they wanted to use SSL to address only this vulnerability without incurring performance penalties for the rest of the site).

I do agree that it could be helpful to have documentation for users about how to use SSL with their eZPublish sites. In my opinion this documentation is a completely separate issue.

A Sha

Friday 24 October 2003 4:57:22 pm

Here is a page that talks about how to do digest authentication from php (the source language of eZPublish): http://www.php.net/manual/en/features.http-auth.php

Serg Tsay

Wednesday 01 March 2006 12:01:58 am

<form enctype="multipart/form-data" action="form.php" method="post"> <input type="file" name="userfile"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000000"> <input type="submit" value="Upload"> </form>
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.

eZ debug

Timing: Jan 31 2025 01:36:09
Script start
Timing: Jan 31 2025 01:36:09
Module start 'layout'
Timing: Jan 31 2025 01:36:09
Module start 'content'
Timing: Jan 31 2025 01:36:09
Module end 'content'
Timing: Jan 31 2025 01:36:09
Script end

Main resources:

Total runtime0.0200 sec
Peak memory usage4,096.0000 KB
Database Queries3

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0042 588.6484151.2109
Module start 'layout' 0.00420.0034 739.8594221.1484
Module start 'content' 0.00760.0110 961.00781,002.0313
Module end 'content' 0.01860.0014 1,963.039133.9922
Script end 0.0200  1,997.0313 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.002613.0192140.0002
Check MTime0.00115.4339140.0001
Mysql Total
Database connection0.00063.034610.0006
Mysqli_queries0.00199.648530.0006
Looping result0.00000.050110.0000
Template Total0.00104.910.0010
Template load0.00083.933310.0008
Template processing0.00020.899910.0002
Override
Cache load0.00062.804610.0006
General
dbfile0.00031.265880.0000
String conversion0.00000.031040.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1print_pagelayout.tpl<No override>extension/community/design/community/templates/print_pagelayout.tplEdit templateOverride template
 Number of times templates used: 1
 Number of unique templates used: 1

Time used to render debug report: 0.0001 secs