Closed
Bug 609105
Opened 14 years ago
Closed 13 years ago
Security Review for FF4 Start Page Dynamic Content
Categories
(mozilla.org :: Security Assurance: Applications, task)
mozilla.org
Security Assurance: Applications
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mcoates, Unassigned)
References
Details
(Whiteboard: [completed secreview])
A quick intro to what this app does. Provides dynamic HTML to the user's Firefox 4 start page Where is the source code located? http://github.com/lmorchard/home-snippets-server Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. http://snippets.stage.mozilla.com/ http://snippets.stage.mozilla.com/admin/ Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. mozilla.org -> webdev, lorchard@mozilla.com Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role. Supports Admin accounts and anonymous (e.g. receive content) What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.) Unauthorized change leads to injection of malicious html that is pushed to all users. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? FF4 related, high urgency
Reporter | ||
Comment 1•14 years ago
|
||
Les, Can I have an admin account setup? The plan is to only have admin access over HTTPS right (we have http in stage)?
Comment 2•14 years ago
|
||
(In reply to comment #1) > Les, > > Can I have an admin account setup? Sure - I can email you a username & password, if that works. > The plan is to only have admin access over > HTTPS right (we have http in stage)? There's no deployment plan yet, as such. I'm just trying to get feedback on the thing in general. HTTPS makes sense - it should probably be a part of whatever happens to address bug 609118
Comment 3•14 years ago
|
||
Something else that might be useful for thinking about deployment and securing this thing: This snippet service webapp is really just meant to be the origin server for a bunch of front-end caching proxies or a CDN service. Need someone from IT to chime in on this, but I think this might be doable through just Apache config: Lock it down so that /admin/* and /preview/* URLs require HTTPS and an internal Mozilla IP. Everything else could accept only GETs from to the front-end cache server IPs. There's really no reason for public access to any part of the Django app itself.
Reporter | ||
Comment 4•14 years ago
|
||
I'm getting a 500 error for the site. Did we break something?
Reporter | ||
Comment 5•14 years ago
|
||
The security review is complete. Please let me know when all security bugs have been addressed. I will verify the changes and then mark this review complete.
Reporter | ||
Updated•14 years ago
|
Whiteboard: [review complete]
Reporter | ||
Updated•14 years ago
|
Whiteboard: [review complete] → [completed secreview]
Comment 6•14 years ago
|
||
It looks like the last open security bug in this review (bug 610021) is an IT deployment / configuration issue for when this thing goes live. Can we move forward on this? If not, what are the remaining blockers?
Reporter | ||
Comment 7•14 years ago
|
||
Yes, that bug is for locking down access to the admin interface. We can move forward with other items, but that bug is very important to be resolved before this launches.
Reporter | ||
Comment 8•14 years ago
|
||
Just pinged bug 610021 for status
Comment 9•13 years ago
|
||
(In reply to comment #8) > Just pinged bug 610021 for status best case here, we get the SSL VPN up and running worse case, we can just use exiting openvpn so we can remove this block if we need to but the the admin page can't be accessible via the internet.
Comment 10•13 years ago
|
||
Whiteboard was marked as [completed secreview] so closing this old bug as resolved.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 11•13 years ago
|
||
(In reply to comment #10) > Whiteboard was marked as [completed secreview] so closing this old bug as > resolved. We keep the sec review bugs open until all the blockers are fixed. This is why you may see a bug with the white board tag of [completed secreview], but the bug is still open. In this case all the blocker bugs are addressed so its fine to close.
You need to log in
before you can comment on or make changes to this bug.
Description
•