October: Users can easily bypass Maintenance mode when switched on

Created on 26 Dec 2019  Â·  5Comments  Â·  Source: octobercms/october

Steps to repeat

  1. Install latest version of October.

  2. Turn on maintenance mode and set it to point to your desired web page.

  3. Turn on a vpn / tor etc. with a different ip address.

  4. Open a browser and load for example one of your images in /storage/app/media/ etc.

You will see that it loads fine and bypasses maintenance mode.

  1. Repeat steps with other files and same thing, you can easily bypass maintenance mode!

Expected outcome

October should redirect all users of all routes to the maintenance web page screen.

Why is this important?

When you are making a website for a client and it's not yet ready to launch or get indexed by search engines! You may want to turn on maintenance mode. A competitor can scrape your newly designed website and steal your content and then place the content on their website and get the search engines to index it. The search engines will then treat your content when you come to indexing it as duplicate content.

See proof:

159.138.154.49 - - [26/Dec/2019:20:54:50 +0000] "GET /storage/app/media/example/image.jpg HTTP/2.0" 200 23948 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0"

Above a Chinese botnet stealing one of our clients content while maintenance mode is turned on.

Our client is kind of angry with the cms right now!

Question
Source
picture ayumi-cloud

Most helpful comment

I think the maintenance mode is mainly for web pages, not resources... I
may be wrong.

--
Marc

On Thu, Dec 26, 2019, 16:23 Ayumi notifications@github.com wrote:

Steps to repeat:

1.

Install latest version of October.
2.

Turn on maintenance mode and set it to point to your desired web page.
3.

Turn on a vpn / tor etc. with a different ip address.
4.

Open a browser and load for example one of your images in
/storage/app/media/ etc.

You will see that it loads fine and bypasses maintenance mode.

  1. Repeat steps with other files and same thing, you can easily bypass
    maintenance mode!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/octobercms/october/issues/4850?email_source=notifications&email_token=AAPLTPXCSOGIWFYXH6QUKPLQ2UOD5A5CNFSM4J7QLIAKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4ICYRKUQ,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAPLTPXSLPSQUIGR2VC2O5TQ2UOD5ANCNFSM4J7QLIAA
.

picture mjauvin on 27 Dec 2019
👍3

All 5 comments

I think the maintenance mode is mainly for web pages, not resources... I
may be wrong.

--
Marc

On Thu, Dec 26, 2019, 16:23 Ayumi notifications@github.com wrote:

Steps to repeat:

1.

Install latest version of October.
2.

Turn on maintenance mode and set it to point to your desired web page.
3.

Turn on a vpn / tor etc. with a different ip address.
4.

Open a browser and load for example one of your images in
/storage/app/media/ etc.

You will see that it loads fine and bypasses maintenance mode.

  1. Repeat steps with other files and same thing, you can easily bypass
    maintenance mode!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/octobercms/october/issues/4850?email_source=notifications&email_token=AAPLTPXCSOGIWFYXH6QUKPLQ2UOD5A5CNFSM4J7QLIAKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4ICYRKUQ,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAPLTPXSLPSQUIGR2VC2O5TQ2UOD5ANCNFSM4J7QLIAA
.

mjauvin picture mjauvin on 27 Dec 2019
👍3

This isn't an issue, maintenance mode is not a security measure meant to firewall your entire site, it's a user experience measure meant to protect your users from seeing potential glitches with the site or triggering actions on the site while it is in an unstable state (under maintenance).

If you want to firewall off all aspects of your site (including static resources served by your webserver without ever hitting October) then you need to configure that on the server level.

As a side note, please consider purchasing a premium support plan to get priority support for your business / organization: https://octobercms.com/premium-support

LukeTowers picture LukeTowers on 27 Dec 2019
👍1

@LukeTowers going to message you after the new year, we are wondering if your plugin can address this issue or not?

https://octobercms.com/plugin/luketowers-filelocker

ayumi-cloud picture ayumi-cloud on 27 Dec 2019

@ayumi-cloud no, that plugin is intended more for a "membership files" sort of system where you need to share files with various users and want to do so through your own October CMS instance instead of Google Drive or some other system for various reasons. I made it for my own clients that for one reason or another don't want to share meeting minutes and other organization docs through google drive or other file sharing platforms but have an October CMS site that their members have logins to.

LukeTowers picture LukeTowers on 27 Dec 2019
👍1

@LukeTowers I see, thanks for letting me know!

ayumi-cloud picture ayumi-cloud on 27 Dec 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mittultechnobrave picture mittultechnobrave  Â·  3Comments
LukeTowers picture LukeTowers  Â·  3Comments
gergo85 picture gergo85  Â·  3Comments
kdoonboli picture kdoonboli  Â·  3Comments
jvanremoortere picture jvanremoortere  Â·  3Comments