Closed
Bug 593487
Opened 14 years ago
Closed 14 years ago
Disable Public Access to /admin
Categories
(Mozilla Labs Graveyard :: FlightDeck, defect)
Mozilla Labs Graveyard
FlightDeck
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Whiteboard: [infrasec:access])
Issue The django admin page is publicly accessible at the following url: https://builder.mozillalabs.com/admin/ An attacker could attempt to guess or brute force the credentials to this page. If successful the admin page provides the ability to modify files that could result in site instability or the introduction of attacks for other users. Recommended Remediation Restrict access to /admin/ to internal Mozilla connections only.
|
||
Comment 1•14 years ago
|
||
What's the difference between this log in and https://builder.mozillalabs.com/user/signin/ ? Can a user off of /user/signin/ ever be an admin?
|
||
Comment 2•14 years ago
|
||
yes - it's the same authentication system - if it fails for username/password it's scraping AMO
|
|
||
Comment 3•14 years ago
|
||
Ok, we should combine the two then (having /admin's auth forward to the other form would be fine)
|
|
||
Comment 4•14 years ago
|
||
I actually removed admin on production servers (we don't really need it there - SQL is enough): http://github.com/mozilla/FlightDeck/commit/17da83ba0cb41a84183f8302eabadc35377ef26d
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Group: webtools-security
Product: Mozilla Labs → Mozilla Labs Graveyard
|
||
Updated•12 years ago
|
Group: webtools-security
You need to log in
before you can comment on or make changes to this bug.
Description
•