Ticket #11670 (confirmed Bug)

Opened 5 years ago

Last modified 3 years ago

"Security overview of Plone" needs to be updated

Reported by: frisi Owned by: doc-editors@…
Priority: critical Milestone: 4.x
Component: Documentation Version: 4.1
Keywords: Cc: interra, ida

Description

Recently stumbled upon the document  http://plone.org/products/plone/security/overview and started to translate it into German.

While doing so i noticed that current list is based on the OWASP top 10 of 2004  http://www.owasp.org/index.php/Top_10_2004 and could need some updates

in the meantime the list has been revised 2 times. priorities have changed, some points have been removed, some added:  http://www.owasp.org/index.php/Top_10

according to the owasp the top 10 list is used for the plone security audits:

Several open source projects have adopted the OWASP Top Ten as part of their security audits, including:

  • Plone open source CMS project (managed by the Plone Foundation)

I'm wondering if the 2010 top-ten have been addressed in the audit where  CVE-2011-0720 has been discovered. Are there any written statements to the current top ten that could be used to update  the Security overview of Plone?

Change History

comment:1 follow-up: ↓ 4 Changed 5 years ago by frisi

  • Priority changed from major to critical

since security is one of plone's mayor advantages, I consider updating the list as quite important.

To provide current figures for the CVE records I updated the numbers as of March 30th, 2011:

Plone/Zope/Python stack: 
CVE Entries containing Plone: 13 (9) 
CVE Entries containing Zope: 27 (9) 
CVE Entries containing Python: 111 (65)

PHP-based stacks: 
CVE Entries containing Drupal: 371 (269) 
CVE Entries containing Joomla: 653 (441) 
CVE Entries containing MySQL: 282 (84) 
CVE Entries containing Postgre: 82 (22) 
CVE Entries containing PHP: 18,859 (5,813)

Other stacks: 
CVE Entries containing Perl: 3,835 (1,780)

I could update the numbers if you gain me permission (plone.org user: frisi)

comment:2 Changed 5 years ago by markcorum

Thanks for the heads up here. I've double-checked and updated the numbers will work on getting someone to address the new items on the OWASP list that aren't part of the explanations of how Plone addresses issues.

Mark

comment:3 Changed 5 years ago by frisi

hi mark any progress on addressing the new items?

i was asking on  plone.devel 2 weeks ago but did not get any useful replies.

comment:4 in reply to: ↑ 1 Changed 5 years ago by interra

  • Cc interra added

I see that article was updated to reflect numbers from comment:1. The Top 10 URL was updated to point  OWASP Top 10 for 2007.

Article is not updated to reflect newest  OWASP Top 10 for 2010 yet that in time of writing this were:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

comment:5 Changed 4 years ago by eleddy

  • Owner changed from plone-website@… to doc-editors@…
  • Version set to 4.1
  • Component changed from Website to Documentation
  • Milestone set to 4.x

comment:6 Changed 4 years ago by kleist

  • Status changed from new to confirmed

comment:7 Changed 3 years ago by kleist

Article not yet updated?

comment:8 Changed 3 years ago by ida

Seems the article has been updated, we could close this.

But I am experiencing a strage behaviour: I can only see the document when logged-out. Logged-in I get 'Sorry...' (error-entry-number is: 1367827747.610.414821790254).

Does any of you have the same problem?

comment:9 Changed 3 years ago by frisi

the article has linked to the list as of 2007, but it has not yet been updated to address the newest list (in the meantime a 2013 (final) version will be available by the end of may:  https://www.owasp.org/index.php/Top_10#OWASP_Top_10_for_2013)

points featured in the 2013 version, not addressed (at least the terminology has changed) by the current document.

some points might be covered already under a different title:

  • A5 Security Misconfiguration (was formerly A6)
  • A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)

-> might be included in 2007's "A6 - Information Leakage and Improper Error Handling"

  • A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
  • A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
  • A10 Unvalidated Redirects and Forwards

btw: after logging in i get an error too. appending /edit directly should work (i don't have permissions) - but that should be another ticket.

comment:10 follow-up: ↓ 11 Changed 3 years ago by ida

  • Cc ida added

Ok, so we wait closing this until end of may, right?

This is actually a candidate for some reminder-feature automatically noticing the responsible persons for this section, or we reopen this ticket every year ;)

And thanks for the feedback about the logged-in-error, opened a ticket for this: #13565

Last edited 3 years ago by ida (previous) (diff)

comment:11 in reply to: ↑ 10 Changed 3 years ago by frisi

This is actually a candidate for some reminder-feature automatically noticing the responsible persons for this section, or we reopen this ticket every year ;)

this would be a cool feature indeed.

Which can be easily achieved by setting an expiration-date and applying a contentrule to send a nota to a responsible person, when the date arrives.

If I understand correctly, that would be a PLIP for the component 'website', right?

Last edited 3 years ago by ida (previous) (diff)
Note: See TracTickets for help on using tickets.