Hi Wolfgang, Am 01.03.10 14:20, schrieb Wolfgang Jeltsch:
the root page of the Lenya 2.0.3 servlet lets you create new publications without requiring any authentication. Doesn’t this mean that an attacker could cause a denial of service by repeatedly creating publications?
your site should not make this page accessible to the public. Usually only the pages in <pub>/live are accessible without authentication. Since the "New publication" page is not in a publication and therefore cannot be protected using the standard Lenya authentication and authorization mechanisms, you should protect it using digest auth or a similar mechanism. Beware that the usecase can also be called from other URIs.
BTW, I don't see a specific relation between the "new publication" usecase and a DoS. If an attacker really wants to kill a dynamic non-protected Lenya site, there are various ways to achieve this (e.g. create lots of sessions/continuations to cause an OOME). A non-distributed DoS can certainly be handled by IP blacklisting, if you're facing a DDoS you're in serious trouble. You could look into web application firewall tools to address those issues.
Best regards, Andreas -- Andreas Hartmann, CTO BeCompany GmbH http://www.becompany.ch Tel.: +41 (0) 43 818 57 01 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
