[BlueOnyx:05470] Re: Dealing with /admin URL 'hijacking

[Jeff Jones]

So refreshing to see good intelligent argument on the list without either party getting abusive and resorting to slagging the other off (or perhaps that is to come?!!?)

Seriously though, I know this sounds a bit corny but I think both approaches are correct, meaning that (here in the UK at least) in order to pass PCI DSS 2.x requirements, they don't like pretty much anything generic, be that server admin URL or CMS admin URL. I'm sure that any CMS vendor that has a product where it's difficult / impossible to change the admin URL (like ours) is going to need to think about sorting this in the near future.

But PCI requirements weren't around when CobaltOS was first designed, although there have been some significant improvements to security (like the login / server locker outer) - I think there is still a way to go before any one gets a 'native' BX box past PCI.

For one there is the issue of the generic 'admin' account which I believe can't be changed. 

So as this is a BX list, for perhaps the discussion of BX issues and suggested improvements, on a server level it would be great if BX could enable you to change the admin URL via the GUI, in whatever way people thought best. Ditto for other things like admin account, and I think there was someone a while back that said some essential BX service was causing his PCI scanner to fail for some reason.

All BX can really do a about CMS security is to improve the ease of locking down the underlying Php engine / application server - something which has been really improved from BO to BX.

It makes me wonder about sticking an L7 Application Based firewall on BX - is that something anyone has looked at? Is there a leading open source project out there?

Cheers,

Jeff