Sitecore's RESTful Security Risk - Part 2

This post has been migrated original date 17 Dec 2008 Following on from the blog I posted last month about Sitecore's RESTful Security Risk Sitecore have realeased the following information as part of their December newsletter:

Installation Guide Update for Sitecore CMS 5.3.x and 6.0 (Security Hardening) We have discovered a missing security setting description in the Installation Guide for Sitecore 5.3.x and 6.0 regarding the ‘rest.aspx’ file. These pages have been updated: Page 17 In the Authentication Methods dialog box, ensure that the Anonymous access check box is not checked. Repeat this procedure for the following folders and files: /sitecore/admin /sitecore/debug /sitecore/rest.aspx. Page 28 Disable anonymous access to /sitecore/rest.aspx file Make sure you have disabled anonymous access to the /sitecore/rest.aspx file. For details, see Section 3.5, Configuring the IIS. Page 46 Make sure you have disabled anonymous access to the /sitecore/rest.aspx file. For details, see Section 3.5, Configuring the IIS.

I am a little annoyed that they calmed they had missed the security description but on the plus side hopefully more Sitecore sites will become secure and that they have finally notified users; even if it was 2 months after I informed them of the original problem.