How about some security tests?
Brought to you by:
canajun2eh,
yalnifj
Menu
▾
▴
With all the talk about PHP security and with all the PhpGedView files and permission requirements, wouldn't it be a good thing to have a list of tests we can perform against our sites to test for holes?
I know people are gasping, "How dare you suggest that someone publish a list of tests!!! Someone could use that to hack PGV sites!"
Ya. Exactly. I'd rather hack my own site before I let someone else try.
I know the authors already have some of these in mind. The "cookie jar" tells me so. They know that there is no such thing as security through obscurity.
For example, the install readme is pretty good about describing permission settings, but what user/group should all thse files be set to? root:root? apache:apache? Does it matter? Should things like upgrade.php be executable?
Just a thought.
Being an average PGV user, having your PGV placed at a webhost where your access is via FTP and is limited to your own directories, how would you then set/change the user/group of your files ?
Sorry, I didn't explain that very well -- I have root on that machine. So I can set it to whatever I want.
Its just that there are a lot of files to keep track of and even quite a few directories.
Don't get me wrong, I love PGV. Even if you're not into genealogy, you can look at this and say WOW! Its great to be blessed with such great people in the open source community.
I just know that once a hole is found in anything (like phpbb) the hackers and script kiddies explode on the scene and you rarely have time to tweak something before you are hit.
I would just like someone to tell me, "Hey, its kind of common to forget to do xxx." Or, "You always want to change the permissions on yyy because that is a weak spot." Or, "If you can execute zzz that means you don't have something set correctly." Maybe these kind of things don't exist. If they don't, that's fine too.
For those of use not blessed with a working knowledge of PHP, its kind of hard to dig through the code some times.
You said:
> I would just like someone to tell me, "Hey, its
> kind of common to forget to do xxx." Or, "You
> always want to change the permissions on yyy
> because that is a weak spot." Or, "If you can
> execute zzz that means you don't have
> something set correctly." Maybe these kind of
> things don't exist. If they don't, that's fine too.
But as it is you'll find a lot of that sort of information here and there in the forums, and if some of the more important pieces of information fails to make it into the readme file, it's probably because the members of the PGV is too busy working on the ever ongoing development of new versions, and to remedy problems with the current versions.
But, when it comes to a regular list of tests to perform against our sites to test for holes, I guess that such a list is more server related and security related than PGV related, and as such would be handled better in forums for true server experts, and/or in forums for true security experts.
As to the "cookie jars" they came about because PGV managed to make it into the top ten activity percentile and stay there for a while, and as such it became interesting for security experts to explore PGV for potential weak spots - and once some weak spots were detected and announced, it of course became a top priority for the PGV developer team to remedy those problems.
You also said:
> I just know that once a hole is found in anything
> (like phpbb) the hackers and script kiddies
> explode on the scene and you rarely have time to
> tweak something before you are hit.
And that's a good reason for not arousing their interest in and attention to PGV - as the saying goes: Don't wake up sleeping dogs ;-)
The general rule at PGV is, to report security related problems directly in a mail to John Finlay, and he'll look into the problem and remedy the situation.
In regard to security related problems with the servers and the servers setup, the PGV team can't do anything to remedy such problems, and I guess that most PGV users has little or no influence on the setup of the servers at the different webhosts at the internet.
But like I said: You can find a lot of tip and small but important information here and there in the PGV forums. It's only that nobody from the PGV team has sufficient idle time to skim the cream from the milk and compile it into a regular list ... I guess ...
Best regards,
Arne
Hi Guys,
I agree with much of what Arne has said here. Common security techniques are usually a job for server maintainers not programmers.
At PGV we are trying to do our best to make sure that the code is secure. And as new versions come out, we are constantly adding built-in warnings to help let you know that you have some security settings that should probably be changed.
Because PGV is so good, I wonder if sometimes people forget that it is open source and that if you want something you may have to do it yourself. I think that a security FAQ would be a good thing to have. But it is one more thing in a long list of things to do, and we really need to focus precious development time on the things that make PGV a better genealogy tool.
As part of version 3.3, I will be starting an administrators guide to PGV. This guide will include many of the tips and best practices for server administration regarding PGV. But as with most things, it will be a work in progress that I hope others will help with.
--John