| Author |
Message |
Anti
Member
|
Posted: 25 Jan 2007 16:42:28 ° Edited by: Anti
Is this script safe?
I see there are no 'I've been hacked' posts, but you wouldn't have if your user-base is small; how many people do you think are using this script roughly? Obviously if your user-base is 40,000 and no-one is complaining about security, then it's probably good. But if the user-base is only in the low hundreds, the 'lack of being hacked' does not prove security.
I'm asking about security, because:
- I get a server security message about exec()
- I don't like all the 777 chmoding (especially the htaccess file!!)
- Someone on the forum mentioned the usage of the 'open_base_dir' directive being a security risk.
- The script seems rather large and bloated considering its single purpose, the css seems over-complex, and the requirements and server settings for running it seem quite 'narrow'. This may seem a very cheeky point considering I don't know any php or javascript myself, but from a first glance it doesn't look like well-put-together, streamlined, stable, secure scripting?
Can the developer comment on any of these points for our reassurance?
Thanks.
|
skalinks
Admin
|
Posted: 26 Jan 2007 05:58:54
Hello, Anti
Thank you for this really great question. Now, I will try to explain why this scrip is considered to be the safe one.
Skalinks is opensource software. Everyone can easily download it and use at his sole discretion. Besides, it is absolutely free software. And, above all, this script was created for our own usage.
But, if you still hold the opinion that there are some suspicious points in our script, please, go ahead and change it. We are not against it.
Best regards
|
Anti
Member
|
Posted: 26 Jan 2007 14:29:37
Thanks for your answer!
> But, if you still hold the opinion that there are some suspicious
> points in our script
Let me make this clear to other users, so they are not put-off from using skalinks by my question: I don't have an opinion about the security, because I don't know anything about it or php/javascript. I have absolutely no reason to believe that the script is unsafe.
However, as I'm running a school website, I need to be very careful about the scripts I use.
So was security was an important factor whilst the script was being written?
For example:
- Do the text fields allow potentially malicious input? Is all user input checked?
- Could someone upload an executable text-file or script into one of the 777 chmod folders? Could they edit the 777 chmod htaccess file?
- The only place exec() seems to be used is in the function for deleting the directories (that explains why the folders and files are left on my server when I delete things). However, I cannot find instances of escapeshellarg() or escapeshellcmd(), which I've read are supposed to be used with exec()
Cheers.
|
Anonymous
|
Posted: 26 Jan 2007 17:35:21
The script is very insecure.
I broke the script using a simple noscript tag and it made it unusuable to the admin, therefor destroying the entire script.
It does not filter out html or javascript tags which means ANYONE can destory it with a single line of code.
Why don't you hear about it? Because skalinks deletes every mention of this bug, in fact they just deleted my entire post that I made 10 minutes ago because they don't feel anyone should know it's not a secure nor stable script.
|
skalinks
Admin
|
Posted: 27 Jan 2007 00:05:46
Hello, Anonymous
First of all, we DO NOT delete topics about the script bugs. Quite the contrary, one of the main goals of this forum is discussion. Anyone who has something to say, to discuss, to share or to learn about SkaLinks script is always welcome. Everyone has the right to express his or her opinion or thoughts in forum and certainly, to get an answer, if necessary, some problems solution.
Anonymous, I want to assure you that nobody has deleted your previous topic. Please, do not mislead other users.
And furthermore, you always have the choice!
Good luck
|
Anti
Member
|
Posted: 28 Jan 2007 06:18:09 ° Edited by: Anti
- Do the text fields allow potentially malicious input? Is all user input checked?
It kind of answers this queston though.
That's a pity, because the script looks and behaves exactly as I'd like. But php scripts need to be so secure these days. An unsafe script can bring an entire server down, so that you get your account deleted by the host. Or if someone gains root access to your account, they can read all the email inbox files on your server for months without you knowing about it. Apart from the obvious - defacing or deleting your website or running a spam email script from it.
Security is always the number one priority. You should really have a bug-tracker operating for this script, so users could help the development and security by posting issues.
It's a nice script though. I hope you continue to develop it.
Cheers!
|
skalinks
Admin
|
Posted: 29 Jan 2007 04:15:16
Hi, Anti
Please, let me answer to your questions. By the way, thank you for your suggestions. We will take everything into our consideration. Thank you!
As for your questions:
It is impossible to edit or upload something into one of the 777 chmod folders via browser. When 777 chmod rights are set, only the script is able to create, edit or rewrite the files.
If you want to upload or rewrite some files you should obligatory have hosting access.
Best wishes
|
Anti
Member
|
Posted: 29 Jan 2007 10:44:45
Thanks for your reply.
|
skalinks
Admin
|
Posted: 29 Jan 2007 20:44:46
You are always welcome, Anti!
|
|
