Members

Note: You can use your Sitellite.org account here and vice versa.

Username

Password

Remember Login

Forgot your password?

Not a member? Click here to register

Sitellite Security

Home Page | All Pages | Recently Revised | Authors | Feeds |

Overview

The following information should help people understand Sitellite security. Security in Sitellite, as with most applications, requires understanding how several different elements work, both independently and together. Administrators, developers, editors and users typically have different security concerns, but neglecting one over the other will probably just lead to a painful post-postmortem over a hacked server. That being said, most of the information below focuses on Sitellite, customization and usage.

If you know enough about web development to ask “yes, but do I need to do blah”. The answer is yes, you should take the precautions you would with any web development project. Sitellite helps you write secure code but it won't prevent you from writing insecure code.

Of course for professional support with latest updates and bug fixes, consider purchasing the Sitellite Professional Edition from Simian.

Sources of Concern

Without opening Pandora's box, the following is a basic list of security concerns for a typical server.

  • Hardware - physical security
  • Operating System – firewall,user management, patch management, etc
  • Web server – Apache or other web server software
  • Scripting languages – PHP configuration in Sitellite's instance
  • Sitellite CMS – Role vs. Team vs Status and other elements user should understand
  • Sitellite Development – if($auth=true) whoopsies often found in the code and what Sitellite can do to help you

Sitellite Development

The following is a partial list of tips and tools developers can use in Sitellite.

  • Filters – Simple content filtering in templates
  • Headers – Code snippets at the tops of pages to help hide contents, either real security or security through obscurity. The follwing in an example of code at the top of a task:


<?php
// BEGIN CLI KEEPOUT CHECKING
if (php_sapi_name () !== 'cli') {
    // Add these lines to the very top of any file you don't want people to
    // be able to access directly.
    header ('HTTP/1.1 404 Not Found');
    echo "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
        . "<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n"
        . "The requested URL " . $PHP_SELF . " was not found on this server.<p>\n<hr>\n"
        . $_SERVER['SERVER_SIGNATURE'] . "</body></html>";
    exit;
}
// END CLI KEEPOUT CHECKING
?>
  • Flexible Form Rules – Maintain data integrity and prevent spam with a few lines
  • Access.php - Defines how your app can be accessed. More information at: http://www.sitellite.org/index/news-app/story.43/pagenum.3
  • Database Privileges - Limit what your db users can do. The main Sitellite db user does not require full privileges, especially after the setup.

External Links

PHP Security Consortium (and its library)
http://phpsec.org

David Skylar's Site
http://www.sklar.com/page/article/owasp-top-ten

Revised on April 7, 2006 2:20 AM by JSmithLA

Back in time (5 more) | Linked from: Miscellaneous