Reply New Topic
2011/5/27 16:48:20
Home away from home

ImpressCMS - Security

I like to speak next week about CMS and security, in this case I like to show our special features. It is helpful for me, if you can tell me is short points what do you think about the ImpressCMS security.

Negative and positive things.

(Sure I have wrote my list, but maybe I forgot somethings?)

Thank you,


2011/5/29 9:48:28
Home away from home

Re: ImpressCMS - Security

Positives: The trust path, use of salts (see Vaughan's posts about how it works), and the updated hash algorithm. Also, support for SSL login and full-site SSL. There's the alternative authentication mechanisms but I haven't used them much so I don't know whether these are security enhancements or just conveniences.

Negatives: I think we have the basics covered. Sending passwords in the clear irks me, but the fact is that it is difficult to address in an out-of-the-box install and as far as I know all major CMS still work that way. I'm still working on adding support for 2-factor authentication (using hardware token) with Vaughan.

I think adding password stretching would be a useful improvement to harden password hashes against offline dictionary attacks, but I'm still arguing the case for that one.

2011/5/29 11:09:16
Home away from home

Re: ImpressCMS - Security

On the subject of security - I think it would be a sensible idea to look at moving the cache and compile directories to trustpath.

I notice that xoopscube also had this approach as well - as per this very good ticket suggestion here:

The point about using a prefix is a very valid one, as it is possible I think to share trustpath over several sites on the same host (indeed, this is a possible way of achieving multi-site perhaps)

2011/5/29 11:39:30
Home away from home

Re: ImpressCMS - Security

Forgot to add: Session regeneration on login etc.

2011/5/29 11:45:12
Home away from home

Re: ImpressCMS - Security

That sounds sensible to me.

2011/5/29 19:21:55
Home away from home

Re: ImpressCMS - Security

as far as what we do that others don't -
* randomize db table prefix
* separate sensitive data and place in trust path
* randomize the trust path directory name
* randomize the name of the secure data file
* integration with html purifier
* multiple password hash options, selectable by site
* admin warnings for practices not followed
* of course, protector module

Christian Web Resources

Reply New Topic extras
 Previous Topic   Next Topic
You can view topic.
You can start a new topic.
You can reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You can post without approval.