> I'm suggesting that you don't think that a "trivial" security issue shouldn't be fixed in the codebase. I didn't. I stated explicitly that that is a temporary fix.
> would you have the stance that it should just be fixed by using fail2ban Nope > Care to share your source? I'll take you up on that beer offer. If only on my laptop without copying somewhere else ;-) On 18 July 2013 11:09, Hugh Davenport <[email protected]> wrote: > Well, I read your opinion as something like "you cannot write secure >> code". If so - any personal project would be just a vulnerable piece >> of mess. Otherwise I don't see how these statements correlate. >> > > I'm not suggesting that at all, I'm suggesting that you don't think that > a "trivial" security issue shouldn't be fixed in the codebase. If I found > a security issue in your software, would you have the stance that it should > just be fixed by using fail2ban? Care to share your source? I'll take you > up on that beer offer. > > Cheers, > > Hugh > > > On 2013-07-18 11:00, Ivan Kurnosov wrote: > >> I didn't say silverstripe doesn't have issues. >> >> I just said that *this particular* issue can be solved trivially, so >> its impact overrated. >> >> Linking to your personal site doesn't make me think you are any >>> >> more security conscious. >> >> Well, I read your opinion as something like "you cannot write secure >> code". If so - any personal project would be just a vulnerable piece >> of mess. Otherwise I don't see how these statements correlate. >> >> PS: for the person who run loadimpact - the LA for this period won't >> even be noticeable on the daily graph and is barely noticeable on the >> hour one ;-P >> >> On 18 July 2013 10:52, Hugh Davenport <[email protected]> wrote: >> >> I would, do you agree that silverstripe has a security issue? No? >>> Alright >>> you owe me a beer. >>> >>> Linking to your personal site doesn't make me think you are any >>> more >>> security conscious. The fact that you doubt this security issue so >>> much >>> because it can be fixed with a *third party* tool, makes me think >>> that >>> you don't have a full understanding. What if you were on a shared >>> hosting >>> provider that used fail2ban, and said it was secure, then suddenly >>> they >>> took it away because they thought underlying issues were resolved, >>> then >>> suddenly that opens up holes in the underlying application... >>> >>> Also, L7 attacks are anything on the application layer. Yes, F5 can >>> stop >>> most of these attacks, some require fine tuned rules, but ... can >>> you pay >>> for an F5 for everyone on this list? I don't think that people >>> should be >>> required to use an expensive solution such as F5 for something that >>> could >>> just be a blog... >>> >>> Cheers, >>> >>> Hugh >>> >>> On 2013-07-18 10:45, Ivan Kurnosov wrote: >>> >>> Would you bet a beer on that? >>> >>> If so - http://tvfedor.ru [1] - try to find anything here. If beer >>> >>> isn't >>> enough - tell your price (but keep in mind that in case if you fail >>> - >>> you're the person to pay). Fair deal? >>> >>> PS: when I said L7 attacks I meant brute F5-based ones, not the >>> >>> On Thursday, July 18, 2013 9:51:18 AM UTC+12, Hugh Davenport wrote: >>> >>> IMHO, you have a terrible stance on how to deal with security >>> issues. >>> >>> Cheers, >>> >>> Hugh >>> >>> On 2013-07-17 21:26, Ivan Kurnosov wrote: >>> 2. In government just a regular people work, not gods. They have >>> their >>> own preferences :-) >>> >>> 3. As I said - it's reeeeeeeeeeeeeeeally trivial >>> >>> The thing is - even if there was no such "vulnerability" - you >>> still >>> would be able to "DOS" silverstripe-based site with a bunch of >>> requests just because the cost of generating a request is >>> dramatically >>> higher than the cost of a generating responses. >>> >>> So the "issue" is overrated. For someone who can google and is not >>> a >>> total dumb - any level7 attack issues can be solved easily. >>> >>> On 17 July 2013 21:20, Petah <[email protected]> wrote: >>> >>> There are a few questions to raise here: >>> >>> 1. Why can a member of the public flush the cache? >>> >>> 2. Why has the NZ government chosen Silver Stripe over something >>> like Drupal, or other alternatives? >>> >>> 3. Does the government service providers have the knowhow and >>> capabilities to detect and prevent such attacks? >>> >>> 4. If someone did manage to use this, or something similar, what >>> websites would it effect and how would the public be affected? >>> >>> On Wed, Jul 17, 2013 at 9:07 PM, Ivan Kurnosov <[email protected]> >>> >> >> wrote: >>>> >>>> It's actually pretty obvious that non-cached page takes longer to >>>> >>> >> generate (while I agree it's weird they provide a switch to flush >>>> >>> >> the cache) :-) Anyway, it's well known that the most resources >>>> consuming part of almost every project is captcha generating >>>> endpoint. >>>> >>>> On 17 July 2013 21:04, Christopher Tombleson <[email protected]> >>>> >>> >> wrote: >>>> >>>> True. But it a silly code error should have never been there in >>>> >>> the >> >> first place. >>>> >>>> On Wed, Jul 17, 2013 at 8:59 PM, Ivan Kurnosov <[email protected]> >>>> >>> >> wrote: >>>> It's a pretty script-kiddy attack that can be defended in minutes >>>> >>> >> using dummy fail2ban, after rule is applied your traffic would >>>> produce literally no noticeable influence on the project >>>> >>>> On Wednesday, July 17, 2013 6:16:40 PM UTC+12, chtombleson >>>> >>> wrote:Hi, >> >> I have recently noticed a DOS vulnerability in Silverstripe 3, >>>> I did some testing and it turned out I was right, >>>> you can find my results here: >>>> >>> >>> http://blog.cribznetwork.com/**2013/07/silverstripe-3-dos-**vulnerable/<http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/> >> [5] >> >> [1] >> >> [1] >>>> >>>> Cheers, >>>> Christopher Tombleson >>>> >>>> -- >>>> -- >>>> NZ PHP Users Group: >>>> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >>>> [2] >>>> >>> [2] >> >> To post, send email to [email protected] >>>> To unsubscribe, send email to >>>> [email protected] >>>> --- >>>> You received this message because you are subscribed to the >>>> >>> Google >> >> Groups "NZ PHP Users Group" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> >>> >> send an email to [email protected]. >>>> For more options, visit >>>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>> [3] >>>> >>> [3] >> >> [3]. >>>> >>> >>> -- >>> Christopher Tombleson. >>> http://cribznetwork.com [4] [4] [4] >>> >>> >>> -- >>> -- >>> NZ PHP Users Group: >>> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >>> [2] >>> [2] >>> >> >> To post, send email to [email protected] >>> To unsubscribe, send email to >>> [email protected] >>> --- >>> You received this message because you are subscribed to the Google >>> >> >> Groups "NZ PHP Users Group" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> [3] >>> >> [3] [3]. >> >> -- >>> With best regards, Ivan Kurnosov >>> >>> -- >>> -- >>> NZ PHP Users Group: >>> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >>> [2] >>> [2] >>> >> >> To post, send email to [email protected] >>> To unsubscribe, send email to >>> [email protected] >>> --- >>> You received this message because you are subscribed to the Google >>> >> >> Groups "NZ PHP Users Group" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> [3] >>> >> [3] [3]. >> >> -- >>> -- >>> NZ PHP Users Group: >>> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >>> [2] >>> [2] >>> >> >> To post, send email to [email protected] >>> To unsubscribe, send email to >>> [email protected] >>> --- >>> You received this message because you are subscribed to the Google >>> >> >> Groups "NZ PHP Users Group" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> [3] >>> >> [3] [3]. >> >> -- >>> With best regards, Ivan Kurnosov >>> >>> -- >>> -- >>> NZ PHP Users Group: >>> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >>> [2] >>> [2] >>> >> >> To post, send email to [email protected] >>> To unsubscribe, send email to >>> [email protected] >>> --- >>> You received this message because you are subscribed to the Google >>> >> >> Groups "NZ PHP Users Group" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> [3] >>> >> [3] [3]. >> >> >> Links: >>> ------ >>> [1] >>> >> >> http://blog.cribznetwork.com/**2013/07/silverstripe-3-dos-**vulnerable/<http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/> >> [5] >> [1] >> >> [2] >> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >> [2] >>> [3] >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>[3] >>> [3] >>> [4] http://cribznetwork.com [4] [4] >>> >> >> -- >> -- >> NZ PHP Users Group: >> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >> [2] >> >> To post, send email to [email protected] >> To unsubscribe, send email to >> >> nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> >> --- >> You received this message because you are subscribed to the Google >> Groups "NZ PHP Users Group" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to >> nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> >> . >> For more options, visit >> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >> [3] [3]. >> >> Links: >> ------ >> [1] >> http://blog.cribznetwork.com/**2013/07/silverstripe-3-dos-**vulnerable/<http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/> >> [5] >> >> [2] >> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >> [3] >> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>[3] >> [4] http://cribznetwork.com [4] >> >> -- >> -- >> NZ PHP Users Group: >> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >> To post, send email to [email protected] >> To unsubscribe, send email to >> >> nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> >> --- You received this message because you are subscribed to the >> Google Groups "NZ PHP Users Group" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to >> nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> >> . >> For more options, visit >> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>[3]. >> >> -- >> With best regards, Ivan Kurnosov >> >> -- >> -- >> NZ PHP Users Group: >> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug>[2] >> To post, send email to [email protected] >> To unsubscribe, send email to >> >> nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> >> --- >> You received this message because you are subscribed to the Google >> Groups "NZ PHP Users Group" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to >> nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> >> . >> For more options, visit >> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>[3]. >> >> >> >> Links: >> ------ >> [1] http://tvfedor.ru >> >> [2] >> http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug> >> [3] >> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >> [4] http://cribznetwork.com >> [5] http://blog.cribznetwork.com/**2013/07/silverstripe-3-dos-** >> vulnerable/<http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/> >> > > -- > -- > NZ PHP Users Group: > http://groups.google.com/**group/nzphpug<http://groups.google.com/group/nzphpug> > To post, send email to [email protected] > To unsubscribe, send email to > nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> > --- You received this message because you are subscribed to the Google > Groups "NZ PHP Users Group" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > nzphpug+unsubscribe@**googlegroups.com<nzphpug%[email protected]> > . > For more options, visit > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> > . > > > -- With best regards, Ivan Kurnosov -- -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] --- You received this message because you are subscribed to the Google Groups "NZ PHP Users Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
