Closed Bug 593487 Opened 15 years ago Closed 15 years ago

Disable Public Access to /admin

Categories

(Mozilla Labs Graveyard :: FlightDeck, defect)

Product:
Mozilla Labs Graveyard
Component:
FlightDeck
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcoates, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:access])

Issue The django admin page is publicly accessible at the following url: https://builder.mozillalabs.com/admin/ An attacker could attempt to guess or brute force the credentials to this page. If successful the admin page provides the ability to modify files that could result in site instability or the introduction of attacks for other users. Recommended Remediation Restrict access to /admin/ to internal Mozilla connections only.
What's the difference between this log in and https://builder.mozillalabs.com/user/signin/ ? Can a user off of /user/signin/ ever be an admin?
yes - it's the same authentication system - if it fails for username/password it's scraping AMO
Ok, we should combine the two then (having /admin's auth forward to the other form would be fine)
I actually removed admin on production servers (we don't really need it there - SQL is enough): http://github.com/mozilla/FlightDeck/commit/17da83ba0cb41a84183f8302eabadc35377ef26d
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: webtools-security
Product: Mozilla Labs → Mozilla Labs Graveyard
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.