I liked the application. I am working on having this application for our community in India. I am not sure about any security testing done on this application. You may find my posts around asking for some features as well. I am now planning to work with some vendor (my friend as well) to have some features added, which we needed in India. I am also open for any new ideas. If you have any feature request, please list it in feature request area, so we can have a look. Once done, we will submit code to community. I must thank the developers here for all hard work and time they put here to take this product to current level.
I will be just adding some features/utilities, fixing defects, do some security testing, see if we can do css layout , may be layout like myheritage.com. I am not sure, phpgedview uses any reporting framework. If it, then it will help us better. We are doing translation for Hindi and Marathi as well. I will appreciate if dev team can provide any roadmap for next couple of months, so I don't repeat some work.
Thanks,
regards,
Maheshwar
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2009-10-14
What does "I am not sure about any security testing done on this application." mean?
Do you have any concerns?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am looking for some data, if we have carried out any application security testing around this product and verified that there are no known issues like cross site scripting, sql injection etc. e.g. I tried gedcom download check, it shows it's not downladable but I could download from server. So I gone thru documents here and now moved the file outside apache root. Once gedcom is uploaded and data is populated in db, I want to disconnect gedcom from location and hide it from application if possible. I am not sure, if application still needs gedcom once data is populated. It's not like I have security concerns but before deploying it in production, I am looking for info, like if any process/ design being followed keeping in mind to secure application. Thats it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2009-10-15
The short answer is that the developers have over the last year or so put a HUGE amount of time and effort into improving security. As a result I am not aware of any reported issues anywhere on the web. I'll leave the dev team to give you more answers about the testing (considerable) that they have done.
For your GEDCOM file, once you have imported it, go to GEDCOM config, and turn "Sync to GEDCOM" OFF. Then you can, if you wish, delete the file from the server. There are a couple of features, like "gedcheck; and placecheck that are designed to use the file, so will not be avaialble, but everything else will function normally. You will however need to take greater care over regular backups, as there is no up-to-date GEDCOM to just re-import if you lose your DB somehow.
As you have already found, you can also re-locate the key /index folder outside the web root.
For media items, if you use the "media firewall" optin, you can again move those folders out of the web root - as well as adding watermarking as you wish.
Regarding a road-map, there is another discussion on that on this Open Discussion forum somewhere, a few weeks back.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
<<if we have carried out any application security testing around this product and verified that there are no known issues like cross site scripting, sql injection etc>>
This year I replaced all our SQL with prepared statments/placeholders, to prevent SQL injection.
Last year I added a framework of input sanitisers to prevent XSS attacks.
Every release contains one (or more!) security fixes.
Just last week, I fixed a potential session-fixation attack.
We take security seriously. If you find an issue, please contact one of the developers directly.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I liked the application. I am working on having this application for our community in India. I am not sure about any security testing done on this application. You may find my posts around asking for some features as well. I am now planning to work with some vendor (my friend as well) to have some features added, which we needed in India. I am also open for any new ideas. If you have any feature request, please list it in feature request area, so we can have a look. Once done, we will submit code to community. I must thank the developers here for all hard work and time they put here to take this product to current level.
I will be just adding some features/utilities, fixing defects, do some security testing, see if we can do css layout , may be layout like myheritage.com. I am not sure, phpgedview uses any reporting framework. If it, then it will help us better. We are doing translation for Hindi and Marathi as well. I will appreciate if dev team can provide any roadmap for next couple of months, so I don't repeat some work.
Thanks,
regards,
Maheshwar
What does "I am not sure about any security testing done on this application." mean?
Do you have any concerns?
I am looking for some data, if we have carried out any application security testing around this product and verified that there are no known issues like cross site scripting, sql injection etc. e.g. I tried gedcom download check, it shows it's not downladable but I could download from server. So I gone thru documents here and now moved the file outside apache root. Once gedcom is uploaded and data is populated in db, I want to disconnect gedcom from location and hide it from application if possible. I am not sure, if application still needs gedcom once data is populated. It's not like I have security concerns but before deploying it in production, I am looking for info, like if any process/ design being followed keeping in mind to secure application. Thats it.
The short answer is that the developers have over the last year or so put a HUGE amount of time and effort into improving security. As a result I am not aware of any reported issues anywhere on the web. I'll leave the dev team to give you more answers about the testing (considerable) that they have done.
For your GEDCOM file, once you have imported it, go to GEDCOM config, and turn "Sync to GEDCOM" OFF. Then you can, if you wish, delete the file from the server. There are a couple of features, like "gedcheck; and placecheck that are designed to use the file, so will not be avaialble, but everything else will function normally. You will however need to take greater care over regular backups, as there is no up-to-date GEDCOM to just re-import if you lose your DB somehow.
As you have already found, you can also re-locate the key /index folder outside the web root.
For media items, if you use the "media firewall" optin, you can again move those folders out of the web root - as well as adding watermarking as you wish.
Regarding a road-map, there is another discussion on that on this Open Discussion forum somewhere, a few weeks back.
Hi Kiwi_pgv,
Thanks for quick reply. You guys ROCK.
regards,
Maheshwar
<<if we have carried out any application security testing around this product and verified that there are no known issues like cross site scripting, sql injection etc>>
This year I replaced all our SQL with prepared statments/placeholders, to prevent SQL injection.
Last year I added a framework of input sanitisers to prevent XSS attacks.
Every release contains one (or more!) security fixes.
Just last week, I fixed a potential session-fixation attack.
We take security seriously. If you find an issue, please contact one of the developers directly.