[BlueOnyx:05471] Re: Dealing with /admin URL 'hijacking

Abdul Rashid Abdullah webmaster at muntada.com
Sun Sep 26 02:48:08 -05 2010 

Fantastic discussion.  Thanks for playing.  ;-)


On 9/25/10 11:47 PM, "Jeff Jones" <jeffrhysjones at mac.com> wrote:

> So refreshing to see good intelligent argument on the list without either
> party getting abusive and resorting to slagging the other off (or perhaps that
> is to come?!!?)
> 
> Seriously though, I know this sounds a bit corny but I think both approaches
> are correct, meaning that (here in the UK at least) in order to pass PCI DSS
> 2.x requirements, they don't like pretty much anything generic, be that server
> admin URL or CMS admin URL. I'm sure that any CMS vendor that has a product
> where it's difficult / impossible to change the admin URL (like ours) is going
> to need to think about sorting this in the near future.
> 
> But PCI requirements weren't around when CobaltOS was first designed, although
> there have been some significant improvements to security (like the login /
> server locker outer) - I think there is still a way to go before any one gets
> a 'native' BX box past PCI.
> 
> For one there is the issue of the generic 'admin' account which I believe
> can't be changed.
> 
> So as this is a BX list, for perhaps the discussion of BX issues and suggested
> improvements, on a server level it would be great if BX could enable you to
> change the admin URL via the GUI, in whatever way people thought best. Ditto
> for other things like admin account, and I think there was someone a while
> back that said some essential BX service was causing his PCI scanner to fail
> for some reason.
> 
> All BX can really do a about CMS security is to improve the ease of locking
> down the underlying Php engine / application server - something which has been
> really improved from BO to BX.
> 
> It makes me wonder about sticking an L7 Application Based firewall on BX - is
> that something anyone has looked at? Is there a leading open source project
> out there?
> 
> Cheers,
> 
> Jeff
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>

More information about the Blueonyx mailing list