Jazajay
Active Member
I disagree TBH, as your own takes you off the radar and therefore not that easy to find via search engine hacking.Good point, and this convincingly adds even more weight to the argument that people should think twice before rolling their own CMS.
Ning's one is awful and how many sites do they populate?
I won't even use a site using it because of the ability of one dev to pretty much do what ever they want from that site.
I can see why your bitter.Two of my recent projects involve migrating web sites away from dead-end bespoke code.
But if someone wants to create one their self then they just have to look at it from certain security implementations.
That being login.
To me it should have a a password and user name, seen some CMS's with just a password and then the user placed it as banana I mean yeah no wonder they got in, secondly use PHP's sleep function if they get it wrong at least 30 seconds delay, pretty much say good bye to brute force attacks, automated ones have just been seriously hampered wipe out any data that you don't expect to be in the password.
So if you say a password must have lower and upper case and alphanumeric characters wack in a regexpression to look for it, I can write 1 for anyone who needs one, if that's correct load up a backup password with the name of the password field as something like trees then a hacker assumes that it is a backup password of tree names when it is in fact a 32 -100 alphanumeric, computer generated password, again if they get it wrong wack in PHP sleep function for 30 seconds and kick them to the first login.
Save the attempt and log it as well so you can see how they got passed the first one, but escape it incase they wack in special code which wipes your db.
If the second password is correct save the user name in a session with a token, bye bye session hijacking, then test for the token and user name when they are logged in to all pages on the inside if it is not correct boot them out to the home page.
Then if you want to set up separate users set them certain privileges, not every user of a CMS should have access to everything, why does the SEO need access to write articles, why does the copy writer need access to Site tracking? bare in mind I checked out 1 CMS last week, or the week before and it let every user control the entire CMS?
Why?
Only the root user should be able to add users, or view passwords of all users.
Then use the name saved in the session, and in the db set CMS privileges in a table so, and test against them.
Table ~ User
Food ~ y
User tracking ~ y
Add food products ~ y
Add user ~ n
Then if they go to access the add user page either delete the link and check the page to see if they have sufficient privileges, or if they go to access the link the first think the page does is gets from the db the add user field from the User table and see if it equals y, if it doesn't they don't have privileges so send them to the admin page with a message saying unfortunately you don't have sufficient privileges, log the attempt and send the root user an email telling them that an unauthorized user tried to access the add a new new user page.
Then on all the other sections screen the data, only allow certain html tags and test to make sure that any beginning tags have a closing partner so not to screw the code up when it gets outputted to the user, and anything not cleared to be entered wiped before it gets added, or send back to alert the said admin that they can not use that character do they want to use another?
That way it is secure as any CMS if not more secure, and you can then create it to do what ever you want.
If you have intermediate server language knowledge, PHP, ASP whatever, or even beginning knowledge with the will to learn the rest then it's pretty easy to code TBH.
Time consuming slightly but if you track what all your users do then you can know when an attack attempts to happen then learn from it and see if your code is up to stuff, and if you limit privileges then only 1 user can access the parts the really effect the whole CMS and to get in they must know their username and password and 32-100 alphanumeric character password, which can be sent in an email to them so they don't forget.
But I got hacked and as a result will never relie on code I haven't written again, if I don't know what it does how good is it?
I have no idea, should I be surprised if I get hacked? No.
But relieing on updates?
How many ppl have updated to 7, or even from 6 yet you have faith they will update thier CMS.
How many security holes are in 6 and 7 that have been fixed with IE 8?
Yet ppl still use it. Mmm....