Dario,
I am not aware of any ways to bypass Pier security ... given that pier artifacts are involved, I assume that they haven't hacked into your system at the os level ... so it has to be coming in through the web ...
I guess that you should make sure that you only have the pier application registered with seaside and that you are using a variant of the WAGemStoneProductionErrorHandler ... if you are using one of the debugging error handlers, then there is the danger that someone can get access to an inspector from the outside world.
Dale
----- Original Message -----
| From: "Dario Trussardi" <
[hidden email]>
| To: "beta discussion Gemstone Seaside" <
[hidden email]>
| Sent: Thursday, January 10, 2013 2:09:36 AM
| Subject: [GS/SS Beta] Pier site change from hacker ?
|
| Hi,
|
|
| i have a development site based on Pier3 run on Gemstone environment
| ( 3.1.0.2 ).
|
|
| The server is based on Ubuntu server 10.04 LTS.
|
|
| Now i do some performance test and the site answer at public web
| request.
|
|
| Yesterday and today i have found some pier page change from ??? one
| hacker ???
|
|
|
|
| One attached page changes report:
|
|
|
|
| Structure Command Date Time User
|
| /missione Edit 01/10/2013 6:40:55 open
|
|
| /missione Edit 01/09/2013 21:8:20 open
|
|
|
| where i note the user is not set.
|
|
|
|
| The pier is created from PRDistribution subclass where the creation
| instance do:
|
|
| self rootPage enumerator with; all; do: [ :each | each
| outgoingReferences do: [ :link | (link isKindOf: PRInternalLink)
| ifTrue: [ link target: nil ] ]. each securityDecoration owner: self
| kernel users anyOne. each securityDecoration group: self kernel
| groups anyOne ].
|
|
|
|
|
|
| The Pier user name and password are change by default.
|
|
| The Gemstone DataCurator and SystemUser passwords are change.
|
|
|
| Someone considerations about it?
|
|
| Thanks,
|
|
| Dario
|
|
|
|
|
|
|
Locked
