I'm suggesting that you don't think that
a "trivial" security issue shouldn't be fixed in the codebase.
I didn't. I stated explicitly that that is a temporary fix.
would you have the stance that it should just be fixed by using
fail2ban
Nope
Care to share your source? I'll take you up on that beer offer.
If only on my laptop without copying somewhere else ;-)
On 18 July 2013 11:09, Hugh Davenport <[email protected]> wrote:
Well, I read your opinion as something like "you cannot write
secure
code". If so - any personal project would be just a vulnerable
piece
of mess. Otherwise I don't see how these statements correlate.
I'm not suggesting that at all, I'm suggesting that you don't think
that
a "trivial" security issue shouldn't be fixed in the codebase. If I
found
a security issue in your software, would you have the stance that
it should
just be fixed by using fail2ban? Care to share your source? I'll
take you
up on that beer offer.
Cheers,
Hugh
On 2013-07-18 11:00, Ivan Kurnosov wrote:
I didn't say silverstripe doesn't have issues.
I just said that *this particular* issue can be solved trivially,
so
its impact overrated.
Linking to your personal site doesn't make me think you are any
more security conscious.
Well, I read your opinion as something like "you cannot write
secure
code". If so - any personal project would be just a vulnerable
piece
of mess. Otherwise I don't see how these statements correlate.
PS: for the person who run loadimpact - the LA for this period
won't
even be noticeable on the daily graph and is barely noticeable on
the
hour one ;-P
On 18 July 2013 10:52, Hugh Davenport <[email protected]>
wrote:
I would, do you agree that silverstripe has a security issue? No?
Alright
you owe me a beer.
Linking to your personal site doesn't make me think you are any
more
security conscious. The fact that you doubt this security issue so
much
because it can be fixed with a *third party* tool, makes me think
that
you don't have a full understanding. What if you were on a shared
hosting
provider that used fail2ban, and said it was secure, then suddenly
they
took it away because they thought underlying issues were resolved,
then
suddenly that opens up holes in the underlying application...
Also, L7 attacks are anything on the application layer. Yes, F5 can
stop
most of these attacks, some require fine tuned rules, but ... can
you pay
for an F5 for everyone on this list? I don't think that people
should be
required to use an expensive solution such as F5 for something that
could
just be a blog...
Cheers,
Hugh
On 2013-07-18 10:45, Ivan Kurnosov wrote:
Would you bet a beer on that?
If so - http://tvfedor.ru [1] [1] - try to find anything here. If
beer
isn't
enough - tell your price (but keep in mind that in case if you fail
-
you're the person to pay). Fair deal?
PS: when I said L7 attacks I meant brute F5-based ones, not the
On Thursday, July 18, 2013 9:51:18 AM UTC+12, Hugh Davenport wrote:
IMHO, you have a terrible stance on how to deal with security
issues.
Cheers,
Hugh
On 2013-07-17 21:26, Ivan Kurnosov wrote:
2. In government just a regular people work, not gods. They have
their
own preferences :-)
3. As I said - it's reeeeeeeeeeeeeeeally trivial
The thing is - even if there was no such "vulnerability" - you
still
would be able to "DOS" silverstripe-based site with a bunch of
requests just because the cost of generating a request is
dramatically
higher than the cost of a generating responses.
So the "issue" is overrated. For someone who can google and is not
a
total dumb - any level7 attack issues can be solved easily.
On 17 July 2013 21:20, Petah <[email protected]> wrote:
There are a few questions to raise here:
1. Why can a member of the public flush the cache?
2. Why has the NZ government chosen Silver Stripe over something
like Drupal, or other alternatives?
3. Does the government service providers have the knowhow and
capabilities to detect and prevent such attacks?
4. If someone did manage to use this, or something similar, what
websites would it effect and how would the public be affected?
On Wed, Jul 17, 2013 at 9:07 PM, Ivan Kurnosov <[email protected]>
wrote:
It's actually pretty obvious that non-cached page takes longer to
generate (while I agree it's weird they provide a switch to flush
the cache) :-) Anyway, it's well known that the most resources
consuming part of almost every project is captcha generating
endpoint.
On 17 July 2013 21:04, Christopher Tombleson <[email protected]>
wrote:
True. But it a silly code error should have never been there in
the
first place.
On Wed, Jul 17, 2013 at 8:59 PM, Ivan Kurnosov <[email protected]>
wrote:
It's a pretty script-kiddy attack that can be defended in minutes
using dummy fail2ban, after rule is applied your traffic would
produce literally no noticeable influence on the project
On Wednesday, July 17, 2013 6:16:40 PM UTC+12, chtombleson
wrote:Hi,
I have recently noticed a DOS vulnerability in Silverstripe 3,
I did some testing and it turned out I was right,
you can find my results here:
http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/
[5]
[5]
[1]
[1]
Cheers,
Christopher Tombleson
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
[2]
[2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the
Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3]
[3]
[3]
[3].
--
Christopher Tombleson.
http://cribznetwork.com [4] [4] [4] [4]
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2] [2]
[2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3]
[3]
[3] [3].
--
With best regards, Ivan Kurnosov
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2] [2]
[2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3]
[3]
[3] [3].
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2] [2]
[2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3]
[3]
[3] [3].
--
With best regards, Ivan Kurnosov
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2] [2]
[2]
[2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3]
[3]
[3] [3].
Links:
------
[1]
http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/
[5]
[5]
[1]
[2] http://groups.google.com/group/nzphpug [2] [2] [2]
[3] https://groups.google.com/groups/opt_out [3] [3] [3]
[4] http://cribznetwork.com [4] [4] [4]
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
[2] [2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the
Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3]
[3] [3].
Links:
------
[1]
http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/
[5]
[5]
[2] http://groups.google.com/group/nzphpug [2] [2]
[3] https://groups.google.com/groups/opt_out [3] [3]
[4] http://cribznetwork.com [4] [4]
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2] [2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
--- You received this message because you are subscribed to the
Google Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3] [3].
--
With best regards, Ivan Kurnosov
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2] [2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out
[3] [3].
Links:
------
[1] http://tvfedor.ru [1]
[2] http://groups.google.com/group/nzphpug [2]
[3] https://groups.google.com/groups/opt_out [3]
[4] http://cribznetwork.com [4]
[5]
http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/
[5]
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
--- You received this message because you are subscribed to the
Google Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out [3].
--
With best regards, Ivan Kurnosov
--
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug [2]
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
---
You received this message because you are subscribed to the Google
Groups "NZ PHP Users Group" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out [3].
Links:
------
[1] http://tvfedor.ru
[2] http://groups.google.com/group/nzphpug
[3] https://groups.google.com/groups/opt_out
[4] http://cribznetwork.com
[5] http://blog.cribznetwork.com/2013/07/silverstripe-3-dos-vulnerable/
