Ticket #11670 (confirmed Bug)
"Security overview of Plone" needs to be updated
Reported by: | frisi | Owned by: | doc-editors@… |
---|---|---|---|
Priority: | critical | Milestone: | 4.x |
Component: | Documentation | Version: | 4.1 |
Keywords: | Cc: | interra, ida |
Description
Recently stumbled upon the document http://plone.org/products/plone/security/overview and started to translate it into German.
While doing so i noticed that current list is based on the OWASP top 10 of 2004 http://www.owasp.org/index.php/Top_10_2004 and could need some updates
in the meantime the list has been revised 2 times. priorities have changed, some points have been removed, some added: http://www.owasp.org/index.php/Top_10
according to the owasp the top 10 list is used for the plone security audits:
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including:
- Plone open source CMS project (managed by the Plone Foundation)
I'm wondering if the 2010 top-ten have been addressed in the audit where CVE-2011-0720 has been discovered. Are there any written statements to the current top ten that could be used to update the Security overview of Plone?
Change History
comment:2 Changed 5 years ago by markcorum
Thanks for the heads up here. I've double-checked and updated the numbers will work on getting someone to address the new items on the OWASP list that aren't part of the explanations of how Plone addresses issues.
Mark
comment:3 Changed 5 years ago by frisi
hi mark any progress on addressing the new items?
i was asking on plone.devel 2 weeks ago but did not get any useful replies.
comment:4 in reply to: ↑ 1 Changed 5 years ago by interra
- Cc interra added
I see that article was updated to reflect numbers from comment:1. The Top 10 URL was updated to point OWASP Top 10 for 2007.
Article is not updated to reflect newest OWASP Top 10 for 2010 yet that in time of writing this were:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
comment:5 Changed 4 years ago by eleddy
- Owner changed from plone-website@… to doc-editors@…
- Version set to 4.1
- Component changed from Website to Documentation
- Milestone set to 4.x
comment:8 Changed 3 years ago by ida
Seems the article has been updated, we could close this.
But I am experiencing a strage behaviour: I can only see the document when logged-out. Logged-in I get 'Sorry...' (error-entry-number is: 1367827747.610.414821790254).
Does any of you have the same problem?
comment:9 Changed 3 years ago by frisi
the article has linked to the list as of 2007, but it has not yet been updated to address the newest list (in the meantime a 2013 (final) version will be available by the end of may: https://www.owasp.org/index.php/Top_10#OWASP_Top_10_for_2013)
points featured in the 2013 version, not addressed (at least the terminology has changed) by the current document.
some points might be covered already under a different title:
- A5 Security Misconfiguration (was formerly A6)
- A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
-> might be included in 2007's "A6 - Information Leakage and Improper Error Handling"
- A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
- A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
btw: after logging in i get an error too. appending /edit directly should work (i don't have permissions) - but that should be another ticket.
comment:10 follow-up: ↓ 11 Changed 3 years ago by ida
- Cc ida added
Ok, so we wait closing this until end of may, right?
This is actually a candidate for some reminder-feature automatically noticing the responsible persons for this section, or we reopen this ticket every year ;)
And thanks for the feedback about the logged-in-error, opened a ticket for this: #13565
comment:11 in reply to: ↑ 10 Changed 3 years ago by frisi
This is actually a candidate for some reminder-feature automatically noticing the responsible persons for this section, or we reopen this ticket every year ;)
this would be a cool feature indeed.
Which can be easily achieved by setting an expiration-date and applying a contentrule to send a nota to a responsible person, when the date arrives.
If I understand correctly, that would be a PLIP for the component 'website', right?
since security is one of plone's mayor advantages, I consider updating the list as quite important.
To provide current figures for the CVE records I updated the numbers as of March 30th, 2011:
I could update the numbers if you gain me permission (plone.org user: frisi)