[SATLUG] My new site...would like some feedback

Justizin justizin at siggraph.org
Mon Oct 9 14:54:02 CDT 2006 

On 10/9/06, Hector Bojorquez <hector.bojorquez at gmail.com> wrote:
> Joomla/Mambo .... Good useful CMS software.
> But....Crackers can own your box if you're not careful--- even if you take
> all the "usual" precautions.

Own your box or your website?  I suppose any system which allows users
to log in and edit content and manage other aspects of the site can be
owned by someone, somehow.

I feel pretty confident in saying that noone would ever own your box
because you run a Zope based CMS.  If this is really a problem, it's
another good reason for anyone using something like Joomla or Mambo to
look at using something like Plone on Zope:

  http://plone.org/

> Keep an eye out for all updates.....secunia.org does a decent job of sending
> alerts.  Of course Joomla/Mambo does too... but sometimes you have to keep a
> close eye on forums in order to see potential problems coming.

I won't say we've never had problems, but the last problem we had was
basically that russian spammers learned how to script login to our
sites, create accounts, and create link spam using member content
areas.  A lot of plone sites do not allow member content, at least
from newly created anonymous users, but for some sites, including
plone.org, this was a problem.

Nothing like owning, though.  The biggest problem is that it made our
sites run really slow to be processing thousands of scripted account
creations and bogus publishing per day.

same could happen to, say, deviantart.com.  The biggest thing we fixed
was to check for valid image content in the user image field using the
Python Imaging Library[0], as they were trying some sort of XSS attack
by putting javascript in the image field.  Maybe this allowed it to
load as trusted code in some browsers? Not sure.

Anyway, noone has ever used Plone to root antiloop.plone.org.

> Configure your php.ini NOT to accept the passthru directive...you CAN have
> php.ini in your directories if this is a shared server-- But
> httpd must be restarted for changes to take place.  (there are many php
> directives that should be banned from use but banning mkdir, chown and
> chmod make it difficult to install modules and components... the best thing
> to do, if you have ssh access, is to shutdown httpd, allow ALL the
> directives (default),  restart httpd, install what you need, stop  httpd,
> disallow almost everything that is potentially dangerous, and restart
> httpd.ini

Passthrough directive?  Excuse me if I've distanced myself from the
annals of php.ini in recent years. ;)

> Keep an eye on your logs
> If you install SEF components or Facile form components...be VERY careful
> that you are installing the latest version and that you are aware of any
> security problems.... BOTH of those components left boxes WIDE open a few
> months ago.... all is well now though
>

What sort of vulnerabilities are these?  I guess it's hard to
apologize for asking you to support my anti-marketing efforts for a
product you use, but I wonder.

I just tell people to use Plone because PHP sucks. ;)

[0] I'm hoping we replace this with ImageMagick in the next year or
so, or at least provide the option of using it.  PIL doesn't support a
lot of valid image types which browsers support.

-- 
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/

More information about the SATLUG mailing list