Any level 7 attack can be solved trivially? How do you propose
automatically
responding to XSS, XSRF, SQLi, RemoteEx, etc etc, all of which go
over level
7, which by your opinion you can solve easily.
It isn't the matter that you can solve this "issue" with fail2ban,
it is more
that the issue exists and has gone several months without being
fixed. If I
use a project that I must rely on a third party tool /foobar/
*just* to get
the project in a secure stable state, then that project is not
doing it right.
Silverstripe should be able to withhold trivial attacks like this
*on it's own
two feet*, and not rely on tools like fail2ban.
IMHO, you have a terrible stance on how to deal with security
issues. Chris
here tried to go through the proper channels to report the bug to
the developers
which didn't seem to show the point, hence this blog post.
Cheers,
Hugh
On 2013-07-17 21:26, Ivan Kurnosov wrote:
2. In government just a regular people work, not gods. They have
their
own preferences :-)
3. As I said - it's reeeeeeeeeeeeeeeally trivial
The thing is - even if there was no such "vulnerability" - you
still
would be able to "DOS" silverstripe-based site with a bunch of
requests just because the cost of generating a request is
dramatically
higher than the cost of a generating responses.
So the "issue" is overrated. For someone who can google and is not
a
total dumb - any level7 attack issues can be solved easily.
On 17 July 2013 21:20, Petah <[email protected]> wrote:
There are a few questions to raise here:
1. Why can a member of the public flush the cache?
2. Why has the NZ government chosen Silver Stripe over something
like Drupal, or other alternatives?
3. Does the government service providers have the knowhow and
capabilities to detect and prevent such attacks?
4. If someone did manage to use this, or something similar, what
websites would it effect and how would the public be affected?
On Wed, Jul 17, 2013 at 9:07 PM, Ivan Kurnosov <[email protected]>
wrote:
It's actually pretty obvious that non-cached page takes longer to
generate (while I agree it's weird they provide a switch to flush
the cache) :-) Anyway, it's well known that the most resources
consuming part of almost every project is captcha generating
endpoint.
On 17 July 2013 21:04, Christopher Tombleson
<[email protected]>
wrote:
True. But it a silly code error should have never been there in the
first place.
On Wed, Jul 17, 2013 at 8:59 PM, Ivan Kurnosov <[email protected]>
wrote:
It's a pretty script-kiddy attack that can be defended in minutes
using dummy fail2ban, after rule is applied your traffic would
produce literally no noticeable influence on the project
On Wednesday, July 17, 2013 6:16:40 PM UTC+12, chtombleson
wrote:Hi,
I have recently noticed a DOS vulnerability in Silverstripe 3,
I did some testing and it turned out I was right,
you can find my results here:
http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/
[1]
[1]
Cheers,
Christopher Tombleson
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2] [2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3]
[3].
--
Christopher Tombleson.
http://cribznetwork.com [4] [4]
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the
Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3] [3].
--
With best regards, Ivan Kurnosov
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the
Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3] [3].
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the
Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3] [3].
--
With best regards, Ivan Kurnosov
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the
Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3] [3].
Links:
------
[1]
http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/
[1]
[2] http://groups.google.com/group/nzphpug [2]
[3] https://groups.google.com/groups/opt_out [3]
[4] http://cribznetwork.com [4]
