Stewart Stremler wrote:
begin quoting Neil Schneider as of Thu, Sep 07, 2006 at 10:45:51AM -0700:
For how much longer is the Members area to be blocked? It will break
any number of other areas, since most of the Book Reviews and User
Contributed Files are links back to members directories.
Have we a solution for the spammers use of our site?
Can we disable the creation of new memberships and put the members
directories back on line?
At least until we solve the problem of the scammers and spammers?
The new member registrations have fallen fairly steadily. In the last
day, only 3 (we're back up to 340 "members", 45-50 of which are bogus).
It sort-of looks like the lockout to the Members path has produced
negative feedback to this attack mechanism. Do you suppose?
Should we consider re-opening the Members path?
In the thread at http://performancing.com/node/4066, which Josh posted
at the onset of the problem, it is claimed by Plonemeister Alexander
Limi, that
"Plone filters all HTML aggressively out of the box, and you can't
put in content that does malicious things like this anymore."
The posting says the vulnerability existed in 2.0.x, and implies that
fix applies to all versions >= 2.1. Josh has upgraded us to 2.1.3.
If we re-enable access to the Members path, what could happen?
1. The attackers will be able to create pages, that (supposedly) do not
generate any benefit to them.
1a) seeing this, they will continue along the negative feedback path,
and the problem may disappear (or stabilize to a minor annoyance)
1b) attacks will think they are getting through, and there will be
positive feedback, re-inflating the bogus user and content problem, even
if there is no spam-like action.
2) The fix will be ineffective, or will not apply to some new mischief
being tried, and we will be back in an uncomfortable place.
Do we want to try it and see?
I can continue keeping an eye on content, but I don't think I can
actually see the bad stuff (spam, SEO-parasitics), so Josh (or?) will
have to help watch.
Regards,
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer
