On Sep 1, 2006, at 3:47 PM, James G. Sack (jim) wrote:
I see on the thread at the link above that Plone 2.1 or 2.5 is
supposedly not susceptible to this exploit (per comment by
Alexander Limi, co-founder of Plone).
Yes. I've updated the site to 2.1.3.
I also remember reading that plone 2.5 contained many performance
improvements (and performance _is_ a bit of an issue with our site).
2.5 wasn't viable at this option since it's brand new and some of the
3rd party extensions we use haven't been recoded for it yet. Heh yes
performance is an issue, but that's a matter of RAM on the server.
We can address that next once this mess gets cleaned up.
I don't mean to be begging for an upgrade, but if there's a lot of
effort involved anyway, it might be worth considering. 'Course,
maybe 2.5 would also require a zope upgrade, too?
Holler, if I can help any with the grunt work.
Heh well here's where some "grunt" work (and some advanced Plone
work!) come in. It took me a few attempts to clean up the older site
and extensions just to get the migration to even work without dumping
out errors. Now that has been done, but if you visit the site you'll
see that things are not right - too many tabs across the top, the
menu on the left drops down too many levels (when you visit the Wiki
it shows ALL top level documents in the menu), and so forth. A lot
of this is just feature and functional differences from 2.0 to 2.1.
Jim since you know our site pretty well I'm hoping you can work to
fix up some of the visual and organizational mess. Tracy said in IRC
he could be of some assistance as well. I'm not sure if you have the
full rights to the Plone management interface - you may need to do
some parameter and configuration changes in there. If you don't have
rights, drop me an email and I'll get you set up.
Also, thank you for the older user list but I haven't had a chance to
reconcile it against the current one. Yours had around 280, but I
think the current site has about 340 users. The difference is
probably all bogus users. If you want to play with some text
processing and figure out which users need to be deleted that'd be
awesome, and if you want to go ahead and delete them that'd be even
more awesome. NOTE: when deleting, you must remove their user (can
be done through the http://www.kernel-panic.org:9673/manage/
interface in the acl_users folder), and their Members folder (also
done in the management interface by clicking on the Members folder in
the left pane).
Here's the rest of the story for everyone else:
KPLUG is now listed quite highly on Google for a good selection of
search terms, ranging from sex and boobs to ringtones and travel. As
a result we're getting quite a bit of traffic to our site, though
it's all directed at the Member/<username> links where the crap HTML
was placed. I have eliminated a good portion of the crap, but that
doesn't stop the hits from coming through and getting a 404 error.
Unfortunately, as Jim said, our site's performance is a little slow,
and the load from Plone trying to return 404 errors to the Google
queries is driving it into the ground. Therefore I've temporarily
put in a mod_rewrite rule that forces Apache to handle the 404's,
thus significantly reducing our load.
The downside of this is that no one's Member pages are accessible. I
assure you the data is still there, but it's going to be a few days
before we can put it back.
Umm that's all I know for now, I'm sure I've forgotten some stuff.
If anyone has any questions or wants to help, just post here to -
steer and I'll keep everyone coordinated.
--
Joshua Penix http://www.binarytribe.com
Binary Tribe Linux Integration Services & Network Consulting
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer
