Closed
Bug 832966
Opened 11 years ago
Closed 11 years ago
the kitsune admin interface is exposed to the public
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 600369
People
(Reporter: freddy, Unassigned)
Details
(Whiteboard: [site:support.mozilla.org])
Admin interfaces should only be accessible via VPN if they cannot be disabled completely for production mode. See our guidelines for more: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages
Comment 1•11 years ago
|
||
This requires information. This was left open because non-employees without LDAP do, or did, use the admin area to manage some content (it gives us a nearly-free CRUD interface and is secure enough as far as the Django project itself is concerned). If no non-LDAP users require access to /admin anymore, we could put it behind VPN. However, the guidelines explicitly state that any of the following are acceptable mitigations: * Admin page behind ssl vpn (most popular option) * Account Lockout * CAPTCHA's after 5 failed logins * IP restrictions for access to the admin page The CAPTCHA approach is what we'd agreed upon the last time Sec looked at this.
Reporter | ||
Comment 2•11 years ago
|
||
Okay, if you still have non-LDAP people required in admin/, close this. CAPTCHA is indeed fine.
Updated•11 years ago
|
Whiteboard: [site:support.mozilla.org]
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Comment 4•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•