If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

the kitsune admin interface is exposed to the public

RESOLVED DUPLICATE of bug 600369

Status

support.mozilla.org
General
RESOLVED DUPLICATE of bug 600369
5 years ago
2 years ago

People

(Reporter: freddyb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [site:support.mozilla.org])

(Reporter)

Description

5 years ago
Admin interfaces should only be accessible via VPN if they cannot be disabled completely for
production mode. See our guidelines for more:
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages
This requires information. This was left open because non-employees without LDAP do, or did, use the admin area to manage some content (it gives us a nearly-free CRUD interface and is secure enough as far as the Django project itself is concerned).

If no non-LDAP users require access to /admin anymore, we could put it behind VPN.

However, the guidelines explicitly state that any of the following are acceptable mitigations:

* Admin page behind ssl vpn (most popular option)
* Account Lockout
* CAPTCHA's after 5 failed logins
* IP restrictions for access to the admin page 

The CAPTCHA approach is what we'd agreed upon the last time Sec looked at this.
(Reporter)

Comment 2

5 years ago
Okay, if you still have non-LDAP people required in admin/, close this. CAPTCHA is indeed fine.
Whiteboard: [site:support.mozilla.org]
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 600369
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.