Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Textpattern CMS demo site
Bloke wrote #282233:
True, but inside an Article or Page or Form:
<txp:php>...and boom, everyone’s gone. … Like Pete says, a sandbox environment with no external access that rebuilds The Matrix every few hours. Where’s the incentive to do harm?
Wish Jukka were here :) Not sure, but 3-hours spamming could be enough to get blacklisted. Bad stuff uploading/distribution is probably possible too. I would totally disarm php() function (in the demo core) and disable plugin install. Or install a collection of “official” ones, maybe creating permanent accounts for authors. But let’s wait and see.
Offline
Re: Textpattern CMS demo site
etc wrote #282234:
Not sure, but 3-hours spamming could be enough to get blacklisted.
Oh, I’m certain 3 hours is more than enough to get blacklisted – but there’s no MTA installed. Email is disabled.
Offline
Re: Textpattern CMS demo site
Bloke wrote #282233:
And a report link is a great idea to initiate a premature rebuild… once the timer is in place since it’ll get out of sync with the schedule.
Link added. Countdown timer to follow.
Offline
Offline
Re: Textpattern CMS demo site
etc wrote #282238:
One can post spam to websites.
Please excuse my ignorance, Oleg – you mean comment spam on other website articles with a URL link to the demo site?
Offline
Re: Textpattern CMS demo site
gaekwad wrote #282239:
you mean comment spam on other website articles with a URL link to the demo site?
Pete, I mean posting comment spam to external websites from your demo site, file_get_contents function does it quite easily. Or even conduct a DoS attack. Or I’m paranoiac :)
Offline
Re: Textpattern CMS demo site
etc wrote #282241:
Pete, I mean posting comment spam to external websites from your demo site,
file_get_contentsfunction does it quite easily. Or even conduct a DoS attack. Or I’m paranoiac :)
Ah, OK – thanks for the clarification. A firewall preventing all external connections would mitigate that, right?
Offline
Offline
Re: Textpattern CMS demo site
etc wrote #282243:
Quite possible, I’m network dilettante. An expert advice is welcome.
+1. Your input is very valuable, so thank you for sharing your concerns.
I have firewalled the server. Incoming connections outside of port 80 and the (non-standard) ssh port are blocked. All outgoing connections outside of Subversion are blocked.
Last edited by gaekwad (2014-07-18 09:17:56)
Offline
Re: Textpattern CMS demo site
gaekwad wrote #282242:
A firewall preventing all external connections would mitigate that, right?
You can kind of use an firewall, but that requires that PHP isn’t run as a server module. Otherwise it can still do connections, because it runs under the server process.
Ideally the Textpattern setup should be run inside a secure container and PHP as FCGI under limited access user. But what ever you do, its not going to be trustworthy — it’s all just damage control.
Offline
Re: Textpattern CMS demo site
Gocom wrote #282397:
You can kind of use an firewall, but that requires that PHP isn’t run as a server module. Otherwise it can still do connections, because it runs under the server process.
Unless the HTTP process runs as root, I don’t see how that would be possible.
Offline
Re: Textpattern CMS demo site
ruud wrote #282402:
Unless the HTTP process runs as root, I don’t see how that would be possible.
Yeah. Thinking other shit while trying to write; what I said is rather irrelevant.
gaekwad wrote #282244:
the (non-standard) ssh port are blocked
What port number? If its port that doesn’t require root (greater than 1024), you can knock down sshd and take its place as long as you can run executable code in Textpattern.
All outgoing connections outside of Subversion are blocked.
That’s an open port you can then use.
Offline
Re: Textpattern CMS demo site
Gocom wrote #282406:
What port number? If its port that doesn’t require root (greater than 1024), you can knock down sshd and take its place as long as you can run executable code in Textpattern.
It’s above 1024. Root ssh is not permitted, I haven’t set up keys.
That’s an open port you can then use.
Then I should fix that.
Offline
Re: Textpattern CMS demo site
I’ve updated the build script so the open port for Subversion is for the duration of svn export only, which is about 15-30 seconds every three hours.
Last edited by gaekwad (2014-07-25 07:59:28)
Offline
Re: Textpattern CMS demo site
I’ve bumped the Textpattern demo site to 4.5.7; as time allows in the coming weeks and months I’ll switch the site to an EU server and containerise the whole thing with Docker.
Last edited by gaekwad (2014-09-22 12:00:34)
Offline