[Phpwebsite-developers] Security Explained

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Here are the details for the what the security patches fix:

http://www.gulftech.org/?node=research&article_id=00048-08312004

Special thanks to Steven. He became the best hacker there is at foiling
my security checks and he was quick to fix module issues.

I will also explain what James is referring to in his conclusion.

0.9.4 will have an authentication key for each user. When you log in,
the key is created from scratch and placed into your session.

As you move through the site, the key may be accessed for authorization.

For example, say you are an administrator and you click on an Edit link.
The authorization key will be added to that Edit link. When you arrive
at your destination, your key and the link key will be compared. If they
do not match, you are denied access. This key will also automatically be
included in form submissions.

What this prevents are hacks that embed code. For example, the <img> tag
code would be rendered useless because the hacker would be unable to
know what your key is going to be when you log in.

0.9.4 also has a security logging feature. If user tries to circumvent
phpwebsite's security, it will log their username (if they are logged
in), their ip address, what page the attempt came from (if there is a
referrer page), and what time the attempt came.

Unrelated news: I will attempt to put a working copy of 0.9.4 on the web
soon. It is still in alpha status but it will allow me to get better
feedback on its operation.

-- 
Matthew McNaney
Internet Systems Architect
Electronic Student Services
Appalachian State University
Phone: 828-262-6493
http://phpwebsite.appstate.edu
http://ess.appstate.edu