How to disable a built in plone page?

Hi Guys,
I am new to Plone. I would like to ask how to disable the pages below:

  • http://{PLONE_SERVER}/{MySite}/@@search
  • http://{PLONE_SERVER}/{MySite}/events/aggregator/event_listing

Because when I security test the Plone CMS using OWASP ZAP. There are vulnerabilities in Plone CMS based on the scanned result. I need to solve this problems before my boss approved the site I made using Plone.

Unlikely you want to disable the Plone site search

Huh??? Which Plone version is this? A unknown XSS problem not patched? Ensure that you are running the latest Plone 4.x or 5.x version with all related security hotfixes.

Apart from that and back to your question: use a RewriteRule in your frontend Apache or related webserver that performs the URL rewriting and match the URL with a regular expression and return a HTTP error instead.

-aj

1 Like

Hi Sir Aj,
Thank you for the response. Below is the Plone version details that I used:

  • Plone 5.0.6rc1 (5016)
  • CMF 2.2.10
  • Zope 2.13.24
  • Python 2.7.6 (default, Oct 26 2016, 20:32:47) [GCC 4.8.4]
  • PIL 3.3.1 (Pillow)

Ok Sir Aj, I'll try to add and install Apache for the Frontend.

Thanks,
Jayson

How is mouseover an attack? That seems very strange. Plone itself is very secure and includes protection against common attack vectors, so I'd be very surprised if you'd found one.

As to disabling the event aggregator, you can either retract (make private) the collection in the /events folder or retract the /events folder.

1 Like

seems to be and old one:

their test seem to be doomed; at least on the search form.

1 Like

@jpamittan could you please send the full report and details about used Plone Version and add-ons to security@plone.org

Technically this is a XSS attack, even if in this case just a onMouseOver event is injected, which by the example is harmless, that could be used for additional attacks.

As @zopyx said, you could block all of these views via your frontend Webserver (Apache or nginx)

1 Like

well I have tried to reproduce that and yes the potential javascript output is in the page output, but propperly quoted, so that it is not an XSS attack vector.

I would guess it is a false positive in the OWASP ZAP project as they might just check for reflection, not if that is actual a DOM element property or executable.

2 Likes

Hi Guys,
Thank you for your replies and its a great help to me. What a such great community here :slight_smile:
Please see below the report that generated in OWASP ZAP.


Sir @zopyx, @Alexander_Loechel, I already installed an apache to the server (Note: I installed plone via vagrant approach) but I dont know how to connect it to plone zserver. Thank you guys for your support. Appreciate your replies.

Hi Sir @tkimnguyen, ok I'll try that to make it private and will check if ZAP can still see the link under events. Thanks Sir :slight_smile:

Please, stop calling us "SIR".

https://docs.plone.org/manage/deploying/front-end/apache.html

-aj

@zopyx be a little more culturally sensitive. Many cultures have respect built in to all forms of communications as virtually automatic, particularly when talking to strangers. It feels rude not show respect. It's a shame german isn't the same.

Thanks for the link @zopyx.
And thanks also @djay for understanding.

  • Yes it's our culture here in Philippines to add honorific "Sir" or "Ma'am" to the people we don't know to show our respect. But moving forward I'll take note what @zopyx said. I hope I might be able to blend with you guys as a Plone dev :slight_smile:

Um, in German there is a built-in (and used) difference between 2nd and 3rd person to indicate respect. In fact, English is the only language that doesn't really have or use that... :stuck_out_tongue:

(If you can, in future it would be better to post the text of messages, rather than images)

I am culturally sensitive enough in this case. Communication patterns in societies are different and people adjust or should adjust to the communication pattern. "Sir" does not belong into the context of an open-source community in dependent of the cultural background - one can expect a little adaption even if your country has a background as a colony than the typical master-sir thinking is still in your genes. I least I feel offended by someone calling my "sir" intentionally or unintentionally.

-aj

thanks :slight_smile:

The question is the usage of terms like "Sir" pretending some sort of respect when there is no respect involved. Japan for example has a deep culture of mutual respect as "build-in" feature of the people in contrast to the country starting with "I" where you often heard Hindi swear words if they don't get the answer they want.

-aj

I'd say function sometimes follows form

I think this shows a lot of cultural insensitivity. Why would assume using the word “sir” has any connection to colonies or masters or genes?? The country of Thailand, where I live, has never be colonised. In any kind of communication where you are speaking to someone you don’t know you would use the word “Khun” in front of their name otherwise it would be shockingly rude. That would be translated as Mr or Sir etc. It doesn’t always represent power relationships but rather just being polite. I suspect most of asia has a similar concept.
You are transposing a lot of your thinking onto someone else's culture which is insensitive and doesn’t belong in open source. Expecting people to adhere to your version of how people should use english is very anti-diversity.
You would think you, Andreas, of all people would be more forgiving considering your individual culture of being terse to the point of being aggressive, has offended almost everyone in the community at some point.

1 Like