Forums / General / Possible Major Security Problem

"Please Note:
  • At the specific request of Ibexa we are changing this projects name to "Exponential" or "Exponential (CMS)" effective as of August, 11th 2025.
  • This project is not associated with the original eZ Publish software or its original developer, eZ Systems or Ibexa".

Possible Major Security Problem

« 
Previous topic
|
General
|
Next topic
 »
Author Message

Paul Forsyth

Friday 24 October 2003 5:14:54 am

The javascript library used is here:

http://pajhome.org.uk/site/legal.html

Lars Holm Nielsen

Friday 24 October 2003 6:17:59 am

Hi,

I completely agree with Balazs, that if you want a secure site, then you should pump all traffic over SSL, or just the parts of the site which need to be secured. All other forms of javascript og digest security won't do the job (they all have some sort of weakness). It has nothing to do with going around a weakness of the application. The weakness is that someone doesn't know how to secure his/her site with SSL. This of course, can be solved by the community of eZ by contributing documentation on how to install Exponential by using SSL.

Cheers,
Lars

A Sha

Friday 24 October 2003 9:42:31 am

Lars, there are many weaknesses, not "the" weakness.

Most users of Exponential will not use SSL. This is one reason why it is important for Exponential to provide good security by default.

Another reason is that there are some practical problems with requiring users to use SSL to solve security problems. One problem is that the users have to evaluate the security / speed tradeoffs themselves, but they are not necessarily experts in Exponential so they won't know the security tradeoffs very well. Another problem is that it is very easy to mess up the installation of SSL in such a way so as to do nothing to aid security, especially if one tries to secure only part of the site (which is exactly what someone would want to do if they wanted to use SSL to address only this vulnerability without incurring performance penalties for the rest of the site).

I do agree that it could be helpful to have documentation for users about how to use SSL with their Exponential sites. In my opinion this documentation is a completely separate issue.

A Sha

Friday 24 October 2003 4:57:22 pm

Here is a page that talks about how to do digest authentication from php (the source language of Exponential): http://www.php.net/manual/en/features.http-auth.php

Serg Tsay

Wednesday 01 March 2006 12:01:58 am

<form enctype="multipart/form-data" action="form.php" method="post"> <input type="file" name="userfile"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000000"> <input type="submit" value="Upload"> </form>