Skip to end of metadata
Go to start of metadata

Alerts

No Alerts at this time.

E-mail: security@lbl.gov

Web Server Requirement: Content and Moderation

Many popular web applications such as wikis, bulletin boards, and blogs rely on commenting, editing, and adding content by users. In almost all circumstances, these applications should be configured to prevent unauthenticated users from posting content, as well as prevent the creation of arbitrary unvetted accounts.

Content

Content must reflect RPM Policy. The RPM has a lot to say about web sites. You should review it (RPM 9.01 9.02). In particular: 

  • Prohibited Content: Commercial, non-transient incidental use, sexually explicit, gambling, etc.
  • Page Owner: A page/site owner must be identifiable from the page.
  • Publishing Rules: Ensure that openly posted content meets the standards of content the University expects, and that no copyrighted material is reproduced in an unacceptable manner.

Malicious Content and Spam

Commenting on blogs and modifying wikis is now a very popular target of spammers and hackers. LBNL is a particularly likely target because links from us reflect well in search engines, and because very few .gov sites permit these kinds of activities.

Attackers may place links to malicious websites on blogs and wikis that are not moderated. The hope of the attackers is that having the link on the legitimate website increases the chances someone with visit the malicious website. The malicious websites commonly exploit computers and allow full control of a computer without any user observable activity. In other words, just clicking a link can instantly and invisibly compromise your computer.

Comment spam may not seem like a big problem, but outsiders are more intolerant of this kind of spam on .gov websites than in other places. Further, these kinds of attacks may also be used to lead users to malicious sites or to host malware (for instance, via attached content in a wiki). It goes without saying that the content typically reflects poorly on the Lab/University as well.

The Solution: Authentication / Moderation

Wikis, bulletin boards, blogs and similar tools with account must be configured to:

  • Disable Anonymous Posting: Blog software and other web applications typically have the option to moderate comments and changes. Ensure this option is turned on. Do not allow unauthenticated users to post any kind of content.
  • Ensure Vetting of New Accounts: In the early days of blog and wiki spam, it was sufficient to merely force a captcha / complicated password during self-registration (since this stopped comment-spam-bots). This is no longer the case. Human attackers have and will continue to target servers at LBNL, will register for accounts, and will post content for the reasons we listed above. Unless your research absolutely requires unauthenticated user creation, ensure each user is vetted. Typically, this is done by configuring the system to send an email to a human (LBNL) reviewer for approval before the account is activated.

The Implication: Blocking

The Computer Protection Program will block servers which host inappropriate content without prior notice, even if that content is user-created within a collaborative application. Remember that blocking will impact all websites hosted by the server in question and that the blocked server will no longer have network connectivity of any form (that is, blocking disables internet access, not just the website). Consider carefully the implication of this risk weighed against the need for anonymous posting. There is information here about how to clean up the caches of major search engines if they reflect unacceptable content.