|
Posted by Edward Vermillion on 07/08/05 09:39
I'm currently trying to develop a simple CMS system for folks to use on
their web sites.
Thanks to all the great people on this list I've learned a lot about
securing php, especially
along the lines of never trust anything you get from the user.
So far I've been able to verify, allow, deny data that comes from the
user, but I've run into
a problem. I want the templates used on the site to be editable through
the web interface.
I know a lot of the forum/CMS software out there allows this, but it's
an area where I have to
implicitly "trust" the data coming in to be "good". While I can run
mysql_real_escape_string()
on the incoming data to help guard against sql injection attacks, I
can't do any strip_tags()
or htmlentities() to guard against html injection. I've set the
permissions up so that only one
"super administrator" account will have access to this area. And
overall the users who have
access to the CMS are going to be only from the organization who owns
the site, ie. it's not
"open to the public" in any way.
My concern though is that "bad guys" from outside the organization will
be able to "attack"
the CMS application portion at this point to deface or otherwise inject
malicious html into the
web site. I've got a "session" management part that controls access
through a md5(random #)
"session id"/cookie that is changed on each page load, and the forms
all have another hidden
md5(random #) value that is checked on form submission, and I'm
requiring an SSL connection
for all transactions. I"m also checking the ip and user agent, although
I know the pros/cons of
that too, I'm figuring it's one more thing an attacker will have to
guess/get.
My question is, does an SSL connection provide enough protection
against a man-in-the-middle
attack that could possibly get the cookie/ip/user agent from a valid
user? I'm figuring the web site
owner will have to be responsible for keeping the one and only
username/password that can
access this part of the site out of the hands of untrusted employees,
but I'm still wondering about
an outside attack.
Is there anything else that can be checked to verify the identity of a
request/post?
Is it really stupid to allow the templates to be edited through the web
interface?
TIA to all who read and reply. (TM)" I love you guys"(TM)
Edward Vermillion
evermillion@doggydoo.net
Navigation:
[Reply to this message]
|