[thelist] A simple cms

Thu Dec 4 17:10:39 CST 2008

Dunno, what does the CMS actually do? One issue might be that it sounds as
though the web based user is executing scripts with full owner permissions. I
personally don't allow write access on files within 'public_html' to anyone
other than the owner. If your files are able to be written to by a user with a
cookie, then they are available to be written to by anyone who works out the
querystring you use. If you have no database I am guessing that the system is
allowing content to be read / written to php or inc scripts?

And there are automated processes which look for random querystrings and may be
able to circumvent what security you may have.

A big lesson for me was several years ago when I was very wet behind the ears
and a script I used which pretty much pulled an include file (?section=news got
news.php) was hacked by someone calling an external file. No harm done other
than my server was used to send thousands and thousands of spam emails!

My own advice would be to use a database securely all of the time even if the
site is a 10 pager. If that's not possible, then I would tend towards having a
totally separate CMS with as secure as the server will allow username / password
access.

The single biggest security lesson I've learned in 10 years of web development
is this:

Treat every visitor to your site as a potential hacker.

H

> I have built a simple cms into a website and to access the controls I 
> have provided a link to a url (with query string) which downloads a 
> cookie to the user's machine. Then when the user accesses the website a 
> link to the cms is provided but only the macine with the cookie can see it.
> 
> There is no sensitive data there, no sql database and the cookie expires 
> after about a month.
> 
> As far as I can see the cookie is no different to a user saving their 
> user name and password on their computer. If I am to use it where more 
> than 1 person will have access I will add another stage where they have 
> to add their usr & pw.
> 
> Its written in php.
> 
> What would be the security issues around this approach?
> -- 
> 
> Kind Regards
> 
> 
>   Chris Price
>   Choctaw
> 
> chris.price at choctaw.co.uk <mailto:chris.price at choctaw.co.uk>
> www.choctaw.co.uk <http://www.choctaw.co.uk>
> 
> Tel. 01524 825 245
> Mob. 0777 451 4488
> 
> Beauty is in the Eye of the Beholder while
> Excellence is in the Hand of the Professional
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>  >> Sent on behalf of Choctaw Media Ltd <<
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Choctaw Media Limited is a company registered in
> England and Wales with company number 04627649
> 
> Registered Office: Lonsdale Partners, Priory Close,
> St Mary's Gate, Lancaster LA1 1XB . United Kingdom
> 
> -- 
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester 
> and archives of thelist go to: http://lists.evolt.org 
> Workers of the Web, evolt ! 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 

-- 
Hugh Miller
Web Developer
Clyde & Forth Press Ltd

Tel:   +44 (0)1475 726511
Fax:   +44 (0)1475 783734
Email: hmiller at cfpress.co.uk

This e-mail and any attachments are confidential and intended solely for the
addressee. If you have received it in error, please inform the sender and delete
it immediately. The views or opinions contained within this email may not be
those of Clyde & Forth Press Ltd, which accepts no liability for any damage
caused by the transmission of any viruses. E-mail traffic is monitored within
Clyde & Forth Press Ltd and messages may be viewed.

Clyde & Forth Press Ltd is a company registered in Scotland (SC132609) with its
registered office at Pitreavie Business Park, Dunfermline, Fife, KY11 8QS.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.