Possible Major Security Problem

« 
Previous topic
|
General
|
Next topic
 »
Author Message

Paul Forsyth

Friday 24 October 2003 5:14:54 am

The javascript library used is here:

http://pajhome.org.uk/site/legal.html

Lars Holm Nielsen

Friday 24 October 2003 6:17:59 am

Hi,

I completely agree with Balazs, that if you want a secure site, then you should pump all traffic over SSL, or just the parts of the site which need to be secured. All other forms of javascript og digest security won't do the job (they all have some sort of weakness). It has nothing to do with going around a weakness of the application. The weakness is that someone doesn't know how to secure his/her site with SSL. This of course, can be solved by the community of eZ by contributing documentation on how to install eZ publish by using SSL.

Cheers,
Lars

A Sha

Friday 24 October 2003 9:42:31 am

Lars, there are many weaknesses, not "the" weakness.

Most users of eZPublish will not use SSL. This is one reason why it is important for eZPublish to provide good security by default.

Another reason is that there are some practical problems with requiring users to use SSL to solve security problems. One problem is that the users have to evaluate the security / speed tradeoffs themselves, but they are not necessarily experts in eZPublish so they won't know the security tradeoffs very well. Another problem is that it is very easy to mess up the installation of SSL in such a way so as to do nothing to aid security, especially if one tries to secure only part of the site (which is exactly what someone would want to do if they wanted to use SSL to address only this vulnerability without incurring performance penalties for the rest of the site).

I do agree that it could be helpful to have documentation for users about how to use SSL with their eZPublish sites. In my opinion this documentation is a completely separate issue.

A Sha

Friday 24 October 2003 4:57:22 pm

Here is a page that talks about how to do digest authentication from php (the source language of eZPublish): http://www.php.net/manual/en/features.http-auth.php

Serg Tsay

Wednesday 01 March 2006 12:01:58 am

<form enctype="multipart/form-data" action="form.php" method="post"> <input type="file" name="userfile"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000000"> <input type="submit" value="Upload"> </form>
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.