[thelist] A simple cms
Chris Price
chris.price at choctaw.co.uk
Fri Dec 5 02:40:16 CST 2008
Thanks for the advice Hugh.
Hugh Miller wrote:
> Dunno, what does the CMS actually do? One issue might be that it sounds as
> though the web based user is executing scripts with full owner permissions. I
> personally don't allow write access on files within 'public_html' to anyone
> other than the owner. If your files are able to be written to by a user with a
> cookie, then they are available to be written to by anyone who works out the
> querystring you use. If you have no database I am guessing that the system is
> allowing content to be read / written to php or inc scripts?
>
> And there are automated processes which look for random querystrings and may be
> able to circumvent what security you may have.
>
> A big lesson for me was several years ago when I was very wet behind the ears
> and a script I used which pretty much pulled an include file (?section=news got
> news.php) was hacked by someone calling an external file. No harm done other
> than my server was used to send thousands and thousands of spam emails!
>
> My own advice would be to use a database securely all of the time even if the
> site is a 10 pager. If that's not possible, then I would tend towards having a
> totally separate CMS with as secure as the server will allow username / password
> access.
>
> The single biggest security lesson I've learned in 10 years of web development
> is this:
>
> Treat every visitor to your site as a potential hacker.
Chris Price
More information about the thelist
mailing list