Content Management System

[NukkaXsplasH]

Hello HTS!

This is my fist thread to kick off my learning experience here on this site.
I am a Computer security major in my senior year working on a senior project.

My group is using HTML 5 to create a website that will access a MySQL DB using PHP.

The backend content management system will be written in PHP.

I am the project leader, with fairly no experience in HTML and PHP.. (Mostly OOP experience/security exp ect.)

Besides a password policy and SQL Injection. What other types of vulnerabilities should I be preparing for?

Side Note: I am willing(and planning) on expanding my knowledge on HTML, PHP, and SQL. So elaboration may not be needed..

Thank you all!

[centip3de]

Hello HTS!

This is my fist thread to kick off my learning experience here on this site.
I am a Computer security major in my senior year working on a senior project.

My group is using HTML 5 to create a website that will access a MySQL DB using PHP.

The backend content management system will be written in PHP.

I am the project leader, with fairly no experience in HTML and PHP.. (Mostly OOP experience/security exp ect.)

Besides a password policy and SQL Injection. What other types of vulnerabilities should I be preparing for?

Side Note: I am willing(and planning) on expanding my knowledge on HTML, PHP, and SQL. So elaboration may not be needed..

Thank you all!

I can only think of a few exploits off the top of my head

PHP:
Null Byte injection
CSRF
Directory traversal
Session poisoning
XSS (Cross site scripting)
Session hijacking
Generally not being stupid with GET variables

SQL:
SQL injection

[NukkaXsplasH]

Thanks for the quick response!

I will definatly be looking more into those PHP exploits that were mentioned.

I want to make sure that all site viewers cannot access the backend content management system. If the user login is compromised most of the website can be manipulated easily.

I will make the user login is in a hidden page not seen on the site map, but this can be easily bypassed when viewing the frontend source code. I want to make sure that the PHP connection and application cannot be infiltrated since the database will store user information and the CMS can change(destroy) the entire website.

Any other tips or information is greatly appreciated. If these thread should be moved to a more appropriate board, please advise.

Thnx,
NukkaXsplasH

[OnlyHuman]

I don't know how large this project you're working on is, so this might be overkill. But, if you're looking for an exhaustive list of problems you may encounter, you should check out the CAPEC Attack Pattern Dictionary.

To save you some time, it can be found ~> here <~

It covers vulnerabilities, the attacks typically used on them, and methods to mitigate those attacks.

[tremor77]

As someone who is fairly adept at destroying CMS security.. here are some things I would consider doing to prevent hackers beyond what was mentioned above.

- Limit login attempts - force password reset after X failures or create timeout period to prevent brute force attempts on your admin login page.

- Use a login CAPTCHA to prevent bots - using Google's Re-Captcha is an effective method in this to reduce your own coding.

- If the CMS will have additional features like image upload, galleries, user profiles, shout box, forums, etc... input cleansing, input cleansing, input cleansing... input cleansing. Most CMS get hacky hacky when they allow guests to login as authenticated users to post comments on blogs and additional privileges.. this is where you're most vulnerable.

- Anti-Spam: If you allow posting you are sure to get spammers posting for Viagra in every comment section of the entire site... while this is not hacking the site it is terribly annoying.

- More Authentication: Consider making site admins or users with high privileges whitelist their IP's for logging in. There are a few CMS that do this, and I find this adds that last level of protection against brute force or social engineering or just general password guessing. Your biggest threat is likely to come from the end-user with weak passwords, account sharing and general stupidity of that nature.

- Server Environment: Create environment checks in your CMS to report various issues within the server environment. You could create a bulletproof CMS in theory with clean PHP and the like, but a poorly setup OS, webserver, mysql and server PHP config, etc, could still be your downfall. Register_Globals = TRUE for $1000 alex? Other things like PHP in ASP mode <? echo will this get you hacked ?>


that's about it for now.

[NukkaXsplasH]

Wow, great info guys.

Although it is not particularly a huge project, we are looking to get the 'senior project award' at my school and the more security implementation that is done, the better I look .

OnlyHuman, I will run though the CAPEC it seems as if there is a lot of information there. Thanks for the link.

Tremor77, Great addition here. A CAPTCHA will be implemented and a user lockout is a great idea. The detailed authentication and the breach checks in the enviroment is something I am definatly going to look into.

Your biggest threat is likely to come from the end-user with weak passwords, account sharing and general stupidity of that nature.

^This! Especially for our system that will be created, since it is not particulary attractive to hackers with no financial information and the like.

I appreciatie all of yor time and thank you for the responses. I will give an update on the project as it moves along!

-NukkaXsplasH