Historic Plone Security Vulnerability

I spent a lot of time researching the right CMS to choose as our enterprise CMS before deciding on Plone. What really impressed about Plone was its security record. It was dang near perfect. Today was a bit of a surprise for me but again, the folks at the Plone Foundation came through with a great work around and a soon to be released patch.

A vulnerability in Plone 2.5 to Plone 4.0 that allows anonymous users to gain manager access to a Plone site.

This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site’s administration controls, view unpublished content, create new content and modify a site’s skin.  The sandbox protecting access to the underlying system is still in place, and it does not grant access to other applications running on the same Zope instance.

All versions of Plone since 2.5 are affected, viz. 2.5, 3.0, 3.1, 3.2, 3.3, 4.0; including all minor and development revisions of these versions.

Due to the severity of this issue Plone is providing an advance warning of an upcoming patch, which will be released on this page at 1600 GMT on Tuesday 8th February 2011.

Workaround

Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details, to ensure that concerned users can plan around the release.  As the fix being published will make the details of the vulnerability public the Plone Foundation is recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.

If you cannot have this time offline they STRONGLY recommend that you take one of the following steps to protect your site from before the announcement until you apply the fix:

1. Make your database read-only.
2. Alternatively, if this option isn’t possible due to not using one of the standard ZODB backends, disable logins by filtering HTTP authentication and cookies in Apache or Varnish.

These do not need to be in place for the entire week but should already be in place before the fix and vulnerability details are released next week.  By preventing modifications to your site and patching your site quickly you remove the incentive for potential attackers to attempt this attack.

Page not found: Plone on Windows

I am not talking about the gray and white screen of Enfold Proxy death. I am talking about an honest to god 404 error.  This morning I launched a site for a local elementary school and refreshed and got a 404. Then I tried some other sites on the server and also got a 404 error. The main site on the box, the school district website came up just fine.

Now then…here are the facts:

1. The district and the schools each use their own ZEOClusters
2. They each use the same Enfold Proxy Product
3. They use different app pools in IIS

My first thought was that Plone just died but then when I looked on the server 127.0.0.1/nameofsite, the site came up fine. I was about to hit IIS restart but then I noticed that the schools and the district use different app pools. I stopped the school app pool and started it again. All of the sites came back. The worker process within the app pool will restart itself 5 times before quitting. One of the websites I had recently turned off.  This could have caused an error in the worker process. I added the site back into Enfold proxy before restarting the app pool. I then stopped the site I no longer wanted but left the proxy definition in there.

I am guessing deleting the proxy definition caused the app pool to become unstable.

Phase I Social Media Strategy- Listen to the Competition

It may be that your competitors have not caught onto the marketing potential of social media. Before we build our own social media campaign we want to gather some intel on what your competitors are doing right and wrong.

We can also begin listening to what others are saying about your company by using competitive intelligence tools. Again, you are so new that no one maybe saying anything about you yet. Your Google report will tell you what organic keywords people are trying in to find you.

Here are some of the tools I use to monitor the traffic:

http://www.google.com/alerts
http://search.twitter.com
http://www.google.com/trends
http://searchanalytics.compete.com

Almost everyone uses Google Alerts. This is the tool that Google makes available for us to monitor the use of any word or phrase on the Internet. I have 15 of them that tell me everything about the topics I need to know about everyday.

The twitter search is useful in gathering intel on key words and phrases used by potential customers. Following industry leaders on their tweets and reading the reactions could open some marketing doors. I am thinking for one of my clients, Case21, school principals love to tweet.

Google Trends shows how often key words phrases and topics have appeared in news sources and which geographic regions are using them. I am primarily interested in the US only.

Try the Compete keyword destination report to see what sites come up when a phrase or key word is entered. This will give you some insight as to what your potential customers are seeing when they do a Google Search for example.

I try to ask and track where a majority of my leads come from and aggressively maintain my profiles on myself at Linkedin and Facebook. I do this for myself and for my company. Everyone in the company should be equally as aggressive in tweeting, having a complete Facebook and linked in profile.

This is where we start with social media, by watching what our competitors do.

Joomla! releases two new versions in a week

The Joomla Project announces the immediate availability of Joomla 1.5.17 [Wojmamni ama woobusani]. This is a priority release to correct two issues in version 1.5.16. Although there are no security issues fixed in this release, they consider it a security release because a security-related bug has been fixed and because many sites may be upgraded directly from 1.5.15 to 1.5.17.

MadTek Associates downloaded and patched all sites with 1.5.16 Saturday morning. There were no sites we hosted that were affected by the security release. We will evaluate the 1.5.17 release before installing.

collective.xdv and windows using buildout

What is collective.xdv? It’s code name is “deliverance”. Yeah I would have picked a different name too. I think of dueling banjos and Ned Beatty running around the forest in a jockeys. Collective.xdv is a middleware server that will allow developers in plone to create custom html templates that are completely removed from plone. There is an XML rule set that has to be configured but basically you can take any html template and map it to your plone site and you have instant coolness.

This is about how Joomla works with templating (sort of). This is where Plone needed to go in order to really become attractive to the average joe designer/slash developer. Now I can use my CSS and HTML savvy designers to make my Plone themes rather than have them all battleship gray and vanilla.

The trick to installing these into your buildout is to make the following mods to your buildout (for windows only):

1. Find versions = versions and change that section to the one below:

# extends = http://dist.plone.org/release/3.3.1/versions.cfg
extends = versions.cfg

http://good-py.appspot.com/release/collective.xdv/1.0

versions = versions

2. Add these lines to your eggs:

eggs =
…
collective.xdv
ZPublisherEventsBackport

If you try collective.xdv [zope2.10] it will fail in windows. Using the above will upgrade your Zope to 2.10 so you can use “deliverance”.

Why Java VM starts when viewing Plone 3.x.x in Firefox 3.5

Turns out there is a small bug in FireFox (fixed with the 3.6 release that triggers an XSS flaw in Plone which then starts Java VM if you have it installed.  This is what Alexander Limi at Plone.org had to say:

Plone 3.3 has a new maintenance release available, and you should upgrade to fix a potential security issue with Zope, and to make your site load faster.

Plone 3.3.4 is now available, and includes Zope 2.10.11, which fixes a potential XSS issue in the default error page in Zope. Although this is hard to exploit, since you have to manage to bypass the standard Plone error page — which does not have this issue — we strongly recommend that you upgrade your servers that are running any Zope version to their fixed releases available from zope.org. This applies no matter what version of Zope you are running.

Another important issue that has been fixed in this release of Plone was located in the base2 JavaScript library. It would cause the Java plugin(!) to be invoked if you have Java on your computer and are using Firefox 3.5, since there is a “magic” variable that starts the Java VM when accessed. More details here, if you are interested in the full explanation.

This issue is fixed in the latest release of KSS, and should make Plone faster for your logged-in users that are using Firefox 3.5. Though the issue has also been fixed in Firefox 3.6, which ships tomorrow, we still recommend that you upgrade.

Inspired by experience, history and this article…

So I have been a web developer/producer/sysadmin since Mosaic became Netscape. I worked for AT&T, taught FrontPage, learned about content management systems, learned about Alta Vista through Google, watched W3C use XHTML as the standard for presentation layer code and finally realized I was no longer a sysadmin, programmer, graphic designer or web designer, I had become a business owner with younger, more talented people working with me.

Through all that time, raising two kids, getting divorced, finding the single scene different and working for the State of North Carolina, running a business and paying my taxes, I learned a couple of things…

a. Sometimes a customer is not a customer but just someone that wants your time for free.

b. It’s ok to say no to business.

c. It’s ok to demand respect and fair treatment from your business partners.

There is a list that inspired me this morning. Probably anyone in business can empathize with what this gentleman put together:

http://www.newlocalmedia.com/wasting-time

No one is perfect. There is not a perfect vendor (my company) nor is there a perfect customer. I have met some great people being in business as a Principal and founder of MadTek. I have also met some people for whom the above list so nicely describes. They now get called “legends of MadTek”. If you are still hosting with us, you are not a legend but a valued and respected member of the MadTek family and community. we try and partner with our customers. We see their success as our success. most of our customers have been with us over 3 years. that average is dropping as we have grown by 25% in the last 6 months.

Thank you dear customer for your continued trust and patronage.

best regards

Jason M. Hare
Principal, MadTek Associates

http://www.madtek.com

Congressional Web Site Defacements Follow the State of the Union

Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.

Congressional Web Site Defacements Follow the State of the Union.

Two NCSPRA Awards for work with Durham Public Schools

Jason Hare accepting one of two NCSPRA Awards earned for work done in 2009.

The Durham Public Schools Office of Public Affairs has been awarded nine Blue Ribbon Awards for Effective Communications by the North Carolina School Public Relations Association (NCSPRA).  The awards were presented at NCSPRA’s annual Blue Ribbon Awards brunch held at the Durham Hilton Garden Inn on Jan. 22.

Jason Hare did the work for the Superintendent’s Holiday Card (online) and the 2009 Graduation Map (also online).

The Office of Public Affairs was cited for the following (category indicated in parentheses): State of the System Performance Report (annual report); Teacher of the Year video, Arts Spectrum video, Superintendent’s holiday greeting (electronic communications); Scholarship and graduation map Web site (Web site); Holton Career and Resource Center (identity/image package); BookMark: Leave Your Mark, Summer Reading Program (marketing campaign); DPS Community EdLink (newsletter).

ProductCart v4 is PA-DSS Validated

MadTek has been using ProductCart since 2002 and is ProductCart Certified Solution Developer as well as  Gold Reseller. Our latest ProductCart site is http://www.oenophilia.com.

ProductCart v4 received official PA-DSS validation from the PCI Security Standards Council in October of 2009. PA-DSS stands for Payment Application Data Security Standards. “The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.”

PA-DSS and PCI Compliance

In other words, using a PA-DSS certified e-commerce application can help your business become PCI compliant. However, remember that a PA-DSS certified application is not enough to be PCI compliant. There are decisions that you make every day in the way you use ProductCart and – more generally – in the way you run your business that affect your PCI compliance.

Specifically, relevant elements to an e-commerce business’ PCI compliance status include:

Properly using your PA-DSS certified e-commerce system

For this purpose, carefully review the ProductCart PA-DSS Implementation Guide for information on how to use ProductCart in a way that ensures PCI compliance. For example, if you are using “offline credit card processing” in ProductCart, you should purge credit card information from the ProductCart Control Panel and shred any printed version of it, immediately after the payment has been captured.