New to concrete5 and concerned about security issues
Permalink 1 user found helpful
Hey guys.
I am new to concrete5. I tried to install concrete5 and got a mysql error due to unescaped form-values passed to a mysql-query (http://www.concrete5.org/index.php?cID=111166).
Since this is only a installer problem it is not a real security issue. But I still am affraid there are security issues to similar problems.
After that I got an error instlling again, which obviously came because the first try didn't succed.
Does not make the best first impression :-/
I am new to concrete5. I tried to install concrete5 and got a mysql error due to unescaped form-values passed to a mysql-query (http://www.concrete5.org/index.php?cID=111166).
Since this is only a installer problem it is not a real security issue. But I still am affraid there are security issues to similar problems.
After that I got an error instlling again, which obviously came because the first try didn't succed.
Does not make the best first impression :-/
Thanks for your answer. I know that there are a lot of potential security holes. But another basic of building secure web applications is to escape user input before inserting it into a database. This is a standard procedure which usualy is implemented in the model of a system. I mean, any access to the database should be handled by an abstraction layer that is concerned with this stuff. So I was wondering if this is a potential lag elsewhere in the system.
I sad I am new to concrete5 and I really appriciate the work of you guys. I decided to have a closer look, because there seem to be a lot of things you are doing much better than other cms. It was just the first thing that came up when i started to use concrete5...
I sad I am new to concrete5 and I really appriciate the work of you guys. I decided to have a closer look, because there seem to be a lot of things you are doing much better than other cms. It was just the first thing that came up when i started to use concrete5...
While having un-escaped form data in the installer is not the greatest thing, you're highly unlikely to get hacked that way - since that DB has to be empty for the installer page to even display.
Because of the usage Zend and ADODB, I'd say the database layer of C5 is rock-solid with regard to SQL injection security. I don't quite agree with Brainakazariua that the basics of security are a protected server (you have can a solid server but if your scripts have vulnerabilities, the server itself isn't going to save you), but I run C5 on a site that gets over 10,000 visits a day and have never had any security issues. c5.org probably get's more than that and as far as I know, their site's never been hacked.
Because of the usage Zend and ADODB, I'd say the database layer of C5 is rock-solid with regard to SQL injection security. I don't quite agree with Brainakazariua that the basics of security are a protected server (you have can a solid server but if your scripts have vulnerabilities, the server itself isn't going to save you), but I run C5 on a site that gets over 10,000 visits a day and have never had any security issues. c5.org probably get's more than that and as far as I know, their site's never been hacked.
Thank jgarcia. I agree, the installer is not the problem. Sound good using zend!
It's just a little strange why not using the database layer while installing!?! I Think this is where my doubts came from.
It's just a little strange why not using the database layer while installing!?! I Think this is where my doubts came from.
Yeah, it's because when installing the site, it pulls all the SQL statements from a .sql file. Then it just does an str_replace in order to put the site name into the the SQL statements. This is the code from /concrete/controllers/install.php
Then it just does a $db->execute() on each line from the SQL statement. As far as I know, this is the only place that doesn't use the abstraction layer...and probably because it's a little easier on the server and they didn't expect that people would try any sort of SQL injection during the install process :)
$sql = file_get_contents($contentfile); $sql = str_replace('{[CCM:SITE]}', $_POST['SITE'], $sql);
Then it just does a $db->execute() on each line from the SQL statement. As far as I know, this is the only place that doesn't use the abstraction layer...and probably because it's a little easier on the server and they didn't expect that people would try any sort of SQL injection during the install process :)
That makes sence. I will give it a try. Think you should replace
with something like
$sql = str_replace('{[CCM:SITE]}', $_POST['SITE'], $sql);
with something like
$sql = str_replace('{[CCM:SITE]}', mysql_real_escape_string($_POST['SITE']), $sql);
You can use this add on for a little extra:http://www.concrete5.org/marketplace/addons/security-wall/...
The error is caused by something manually added during the install, if you skip the sample data for example you get no errors at all. I never used the sample data since I won't use it which means that on the 100+ sites I installed I didn't see a single error.
As long as your server is up to date with security you have little to worry about