Security :: Capability
Permalink
I have to give a speech to my customer(s) who are concerned about their intellectual property in the form of documents posted and accessed via the Internet, which I am proposing to speed production.
Granted; nothing is 100% full-proof, a higher level of security can be obtained at a higher cost, etc. That said, can someone give me a bullet-point list of top features that a well-crafted OOP programming structure using public/private/protected classes provides - which I perceive C5 to be?
As an example, we know that javascript can be injected with variable values, but it appears to me that C5 never allows JS to overwrite core files. C5's use of php's execute() does not use the overwrite option, and so on - so there appears to be some good foresight in this area.
Questions:
Can C5 provided a list of core concepts and established techniques that have been followed in order to increase security?
Can C5 give an approximate "ballpark" rating on security in terms of comparing itself to the high-end of governmental agencies that require clearance/approval of a company's Intranet/Internet before being allowed to handle top-secret information, and that of something more moderate like a law firm's desire to keep their online documents from being illegally accessed (which is nearer to what I'm doing)?
Can C5 provide a list of clients who use it's core functionality for their Internet business that has a certain level of security requirement?
Rick
Granted; nothing is 100% full-proof, a higher level of security can be obtained at a higher cost, etc. That said, can someone give me a bullet-point list of top features that a well-crafted OOP programming structure using public/private/protected classes provides - which I perceive C5 to be?
As an example, we know that javascript can be injected with variable values, but it appears to me that C5 never allows JS to overwrite core files. C5's use of php's execute() does not use the overwrite option, and so on - so there appears to be some good foresight in this area.
Questions:
Can C5 provided a list of core concepts and established techniques that have been followed in order to increase security?
Can C5 give an approximate "ballpark" rating on security in terms of comparing itself to the high-end of governmental agencies that require clearance/approval of a company's Intranet/Internet before being allowed to handle top-secret information, and that of something more moderate like a law firm's desire to keep their online documents from being illegally accessed (which is nearer to what I'm doing)?
Can C5 provide a list of clients who use it's core functionality for their Internet business that has a certain level of security requirement?
Rick
well you could just lock the site by making only registered users be able to view it. you could also use the security wall addon- make them think its safer
I did not realize there was a Security Wall addon, so thanks for that.
However, I am using all of the User permission features that C5 provides - as that enables benign users the privacy needed to make my concept work.
My question was geared more for those looking to attack a site. My concern is not so much lost emails and such, but someone able to download files from the site illegally and without site owner knowledge. How probable is that?
However, I am using all of the User permission features that C5 provides - as that enables benign users the privacy needed to make my concept work.
My question was geared more for those looking to attack a site. My concern is not so much lost emails and such, but someone able to download files from the site illegally and without site owner knowledge. How probable is that?
if you secure the files appropriately, there should be no problem
Thanks Mike,
Can I assume "securing files appropriately" refers to properly using C5 User Permissions, File Permissions and an SSL Certificate (on a dedicated IP)? Nothing else?
Rick
Can I assume "securing files appropriately" refers to properly using C5 User Permissions, File Permissions and an SSL Certificate (on a dedicated IP)? Nothing else?
Rick
you could use the download folder addon or sets to restrict download as well. you may want to use advanced permissions as well.
I'm not so sure about this -- if you're talking about bullet-proof security, I believe that anyone can access any of the files in your site's "files" directory -- IF they know the exact URL for it.
You can test this out by putting permissions on a file, logging in as a user who CAN access the file, downloading it, copying the download URL from your browser's address bar, then logging out and visiting that file's URL -- does it serve the file to you?
For SQL Injection attacks, the core system is safe because it uses the ADODB library. Most addons are safe as well as long as they use this, but it's hypothetically possible that an addon doesn't use the appropriate methods for database access and poses a security risk (you'd have to look at their code to know for sure).
XSS attacks are only applicable when users are entering form data that is re-displayed to other users -- for example, the forum or the guestbook block. I just did a quick test of the guestbook block and it strips out all tags, so that one should be secure in that regard. Not sure about the forum addon since I don't have it.
As for CSRF attacks, the core code contains CSRF tokens in some places (like the form block), but I'm not sure if it's everywhere. And a majority of addons probably don't use them. But if you're restricting ALL access to this site to registered members, then this is not an issue at all.
Make sure your login page is using SSL (an "https://" connection, not "http://) -- in fact you should probably just make the entire site use "https://" for good measure.
And of course, any security measures can be overcome by the users themselves -- someone forgets to protect a file because the process is too complex, or someone gives out their password to someone else, etc. -- these are all important things to be considered if security is truly a concern.
Best of luck.
-Jordan
You can test this out by putting permissions on a file, logging in as a user who CAN access the file, downloading it, copying the download URL from your browser's address bar, then logging out and visiting that file's URL -- does it serve the file to you?
For SQL Injection attacks, the core system is safe because it uses the ADODB library. Most addons are safe as well as long as they use this, but it's hypothetically possible that an addon doesn't use the appropriate methods for database access and poses a security risk (you'd have to look at their code to know for sure).
XSS attacks are only applicable when users are entering form data that is re-displayed to other users -- for example, the forum or the guestbook block. I just did a quick test of the guestbook block and it strips out all tags, so that one should be secure in that regard. Not sure about the forum addon since I don't have it.
As for CSRF attacks, the core code contains CSRF tokens in some places (like the form block), but I'm not sure if it's everywhere. And a majority of addons probably don't use them. But if you're restricting ALL access to this site to registered members, then this is not an issue at all.
Make sure your login page is using SSL (an "https://" connection, not "http://) -- in fact you should probably just make the entire site use "https://" for good measure.
And of course, any security measures can be overcome by the users themselves -- someone forgets to protect a file because the process is too complex, or someone gives out their password to someone else, etc. -- these are all important things to be considered if security is truly a concern.
Best of luck.
-Jordan
well, yeah, but there's very few sites that a good hacker can't access. if you want though, your hosting service may have something that helps though. I use hostgator, and they have a password protect directories button- I think that would do the trick.
As for your concern of JS overwriting PHP files -- I don't think this is possible under any circumstances -- Javascript is run on the client, while the PHP files are on the server. Unless I'm misunderstanding something, it is a physical impossibility for Javascript to have any effect whatsoever on the server.
Thanks you guys.
Jordan, thanks for that informative post and for pointing out the file path issue, I'll check that out and let you know. I am concerned about a non-random method for assigning the uploaded files and whether that could be easily breached with simple guesswork.
12345j, I thought the hostgator was meant to stop access to a particular folder while in the cpanel - not really an added form of security from frontside attacks - but I'll ask. Thanks.
Has anyone ever heard/used something that identifies the user's computer name and matches that to the username/password? (Or is that just hard-coded?) This might help to identify shared passwords and put a stop to it. Finally, does anyone have something to lock someone out for reasons other than failing to properly log in (which C5 provides)? Meaning, if someone tries running a generator against the site is there a way to recognize and prevent further attempts and/or access?
Jordan, thanks for that informative post and for pointing out the file path issue, I'll check that out and let you know. I am concerned about a non-random method for assigning the uploaded files and whether that could be easily breached with simple guesswork.
12345j, I thought the hostgator was meant to stop access to a particular folder while in the cpanel - not really an added form of security from frontside attacks - but I'll ask. Thanks.
Has anyone ever heard/used something that identifies the user's computer name and matches that to the username/password? (Or is that just hard-coded?) This might help to identify shared passwords and put a stop to it. Finally, does anyone have something to lock someone out for reasons other than failing to properly log in (which C5 provides)? Meaning, if someone tries running a generator against the site is there a way to recognize and prevent further attempts and/or access?
sorry, miscommunication. I meant the host gator pass protect to protect the files folder, so that you could protect who could access the files. what do you mean as a generator against the site- a dos attack, an attempt to crack a password, or something else?
I am not an expert in security. But I can assume that any kind of malicious attack - whether to steal identities or proprietary files that have been uploaded for sharing among colleagues - would most likely entail some sort of repeated effort. My question is to try and discover what some of those techniques might be and what realistic precautions I might be able to take.
Granted, a full disclosure of vulnerabilities is probably not a good idea to post, but maybe a good read on the latest general security concerns would be a good place for me to go. Does anyone know of a good one?
Granted, a full disclosure of vulnerabilities is probably not a good idea to post, but maybe a good read on the latest general security concerns would be a good place for me to go. Does anyone know of a good one?
http://cwe.mitre.org/top25/
Here's a couple:
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project...
http://www.owasp.org/index.php/Secure_Coding_Principles...
Note that in general you cannot make a website 100% secure (seehttp://stackoverflow.com/questions/1781307/website-hacking-why-it-i... ) -- which it sounds like you're aware of. As for detecting intrusions, take a look at ModSecurity:
http://www.modsecurity.org/
Securing a website is a *huge* topic, so make sure your client quote reflects that :)
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project...
http://www.owasp.org/index.php/Secure_Coding_Principles...
Note that in general you cannot make a website 100% secure (seehttp://stackoverflow.com/questions/1781307/website-hacking-why-it-i... ) -- which it sounds like you're aware of. As for detecting intrusions, take a look at ModSecurity:
http://www.modsecurity.org/
Securing a website is a *huge* topic, so make sure your client quote reflects that :)
What you can do is add a .htaccess+.htpasswd protection inside files directory and use php to fread it and stream file to output. Anyway this only prevents users to share direct links.
This solution is useful to add some bytes that relates file to the user that actually downloaded it. So, if the document becomes public, you can track the user that made the fault.
Quoting jordanlev, c5 follows some of the best security patterns, using adodb and common frameworks. Xss, instead, are sometime present in addons. But the c5 group works constantly against this problem. Anyway, with actual token structure (CSRF - XSS related), c5 has some sort of protection against xss worm, while not in session stealing. Session hack is quite common also in big governmental sites. If you setup Security Wall properly, this is where it can help you. Also some software like Acunetix or similar can help you see if an addon you are using have some of these bugs. They also checks for RFI and LFI, useful for what you want to do.
Making some rules like passwords change every month, ecc. can be useful.
One of the most important things to implement (i'm workin on it in security wall, for next version) is protection against well know bot-ips with services like projecthoneypot to protect sites against discolures (expecially 0-day).
As for every cms, fast updates are more than needed for security.
Modsecurity is a great platform. It also uses phpids to detect hacking attempts.
Great part of attacks are directed to server. So, if you have sensible data, you need a dedicated hosting that checks regularly for updates and has best common conf.
PS:
if it's acceptable in usability, you can pwd-zip files and then provide the password, directly, upon registration or in the site.
This solution is useful to add some bytes that relates file to the user that actually downloaded it. So, if the document becomes public, you can track the user that made the fault.
Quoting jordanlev, c5 follows some of the best security patterns, using adodb and common frameworks. Xss, instead, are sometime present in addons. But the c5 group works constantly against this problem. Anyway, with actual token structure (CSRF - XSS related), c5 has some sort of protection against xss worm, while not in session stealing. Session hack is quite common also in big governmental sites. If you setup Security Wall properly, this is where it can help you. Also some software like Acunetix or similar can help you see if an addon you are using have some of these bugs. They also checks for RFI and LFI, useful for what you want to do.
Making some rules like passwords change every month, ecc. can be useful.
One of the most important things to implement (i'm workin on it in security wall, for next version) is protection against well know bot-ips with services like projecthoneypot to protect sites against discolures (expecially 0-day).
As for every cms, fast updates are more than needed for security.
Modsecurity is a great platform. It also uses phpids to detect hacking attempts.
Great part of attacks are directed to server. So, if you have sensible data, you need a dedicated hosting that checks regularly for updates and has best common conf.
PS:
if it's acceptable in usability, you can pwd-zip files and then provide the password, directly, upon registration or in the site.
