Am Montag, 1. März 2010 15:38:13 schrieb Andreas Hartmann: > Hi Wolfgang, > > Am 01.03.10 14:20, schrieb Wolfgang Jeltsch: > > the root page of the Lenya 2.0.3 servlet lets you create new publications > > without requiring any authentication. Doesn’t this mean that an attacker > > could cause a denial of service by repeatedly creating publications? > > your site should not make this page accessible to the public. Usually > only the pages in <pub>/live are accessible without authentication. > Since the "New publication" page is not in a publication and therefore > cannot be protected using the standard Lenya authentication and > authorization mechanisms, you should protect it using digest auth or a > similar mechanism. Beware that the usecase can also be called from other > URIs.
Hello Andreas, I don’t really understand your solution. Do you mean that I should protect all pages except those in the live area by authentication at the HTTP level? This would mean that an editor had to authenticate twice – first at the HTTP level and second for Lenya. I wouldn’t like this. In my opinion, Lenya pages should be accessible by everyone in principle. If they have to be protected then Lenya should take care of this. As far as I can see, this works for everything that is related to a specific publication. Alas, it doesn’t work for the creation of a new publication. What URLs have to be blocked for the general public so that ordinary internet users cannot modify data on the server (like the publications store)? Is there any documentation on the web that documents which URLs are “unsafe”? Unfortunately, the usual pages about setting up Lenya do not seem to mention the need for extra authentication at all. So it was only after more than a year of Lenya usage that I discovered this problem. :-( Best wishes, Wolfgang --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
