Closed Bug 609105 Opened 14 years ago Closed 13 years ago

Security Review for FF4 Start Page Dynamic Content

Categories

(mozilla.org :: Security Assurance: Applications, task)

Product:
mozilla.org
Component:
Security Assurance: Applications
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcoates, Unassigned)

References

Details

(Whiteboard: [completed secreview]) 

A quick intro to what this app does.
Provides dynamic HTML to the user's Firefox 4 start page

Where is the source code located?
http://github.com/lmorchard/home-snippets-server

Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
http://snippets.stage.mozilla.com/
http://snippets.stage.mozilla.com/admin/


Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.
mozilla.org -> webdev, lorchard@mozilla.com

Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.


Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.
Supports Admin accounts and anonymous (e.g. receive content)

What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)
Unauthorized change leads to injection of malicious html that is pushed to all users.

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
FF4 related, high urgency
Les,

Can I have an admin account setup?  The plan is to only have admin access over HTTPS right (we have http in stage)?
(In reply to comment #1)
> Les,
> 
> Can I have an admin account setup? 

Sure - I can email you a username & password, if that works.

> The plan is to only have admin access over
> HTTPS right (we have http in stage)?

There's no deployment plan yet, as such. I'm just trying to get feedback on the thing in general. 

HTTPS makes sense - it should probably be a part of whatever happens to address bug 609118
Something else that might be useful for thinking about deployment and securing this thing:

This snippet service webapp is really just meant to be the origin server for a bunch of front-end caching proxies or a CDN service.

Need someone from IT to chime in on this, but I think this might be doable through just Apache config:  

Lock it down so that /admin/* and /preview/* URLs require HTTPS and an internal Mozilla IP. Everything else could accept only GETs from to the front-end cache server IPs. There's really no reason for public access to any part of the Django app itself.
I'm getting a 500 error for the site. Did we break something?
The security review is complete. Please let me know when all security bugs have been addressed. I will verify the changes and then mark this review complete.
Whiteboard: [review complete]
Whiteboard: [review complete] → [completed secreview]
It looks like the last open security bug in this review (bug 610021) is an IT deployment / configuration issue for when this thing goes live. 

Can we move forward on this? If not, what are the remaining blockers?
Yes, that bug is for locking down access to the admin interface. We can move forward with other items, but that bug is very important to be resolved before this launches.
Just pinged bug 610021 for status
(In reply to comment #8)
> Just pinged bug 610021 for status

best case here, we get the SSL VPN up and running
worse case, we can just use exiting openvpn

so we can remove this block if we need to but the the admin page can't be accessible via the internet.
Whiteboard was marked as [completed secreview] so closing this old bug as resolved.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
(In reply to comment #10)
> Whiteboard was marked as [completed secreview] so closing this old bug as
> resolved.

We keep the sec review bugs open until all the blockers are fixed. This is why you may see a bug with the white board tag of [completed secreview], but the bug is still open.  In this case all the blocker bugs are addressed so its fine to close.
You need to log in before you can comment on or make changes to this bug.