Closed Bug 832966 Opened 11 years ago Closed 11 years ago

the kitsune admin interface is exposed to the public

Categories

(support.mozilla.org :: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 600369

People

(Reporter: freddy, Unassigned)

Details

(Whiteboard: [site:support.mozilla.org])

Admin interfaces should only be accessible via VPN if they cannot be disabled completely for
production mode. See our guidelines for more:
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages
This requires information. This was left open because non-employees without LDAP do, or did, use the admin area to manage some content (it gives us a nearly-free CRUD interface and is secure enough as far as the Django project itself is concerned).

If no non-LDAP users require access to /admin anymore, we could put it behind VPN.

However, the guidelines explicitly state that any of the following are acceptable mitigations:

* Admin page behind ssl vpn (most popular option)
* Account Lockout
* CAPTCHA's after 5 failed logins
* IP restrictions for access to the admin page 

The CAPTCHA approach is what we'd agreed upon the last time Sec looked at this.
Okay, if you still have non-LDAP people required in admin/, close this. CAPTCHA is indeed fine.
Whiteboard: [site:support.mozilla.org]
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.