[Xerte] Re: Security concern

Davies, Dale Dale.Davies at liv-coll.ac.uk
Fri Aug 12 12:36:05 BST 2011 

Hi Matt,

 

I'm no security "expert" but I have plenty of experience with  this sort
of thing in the past, I guess it is something that gets drummed into you
if you're a developer.

 

It is good practice to hash passwords using a strong algorithm before
storing them in a database, that way if the database is ever compromised
and an attacker is able to dump the user table they will not be able to
directly read the passwords.

 

Probably wouldn't be that difficult to change the management.php script
to check the hash of the password entered at login against a hashed
password in the database, rather than just comparing the passwords in
plain text.  I might take a look into it myself next week if I have
time.

 

It may be worth also considering password protecting the file itself at
the server level, so that if you try to access management.php from your
browser you will first be presented with an authentication dialogue from
the browser.  Use a different password for this than you do for the
Xerte admin page.  See this tutorial for using .htaccess (Apache) to do
this...
http://johnbokma.com/mexit/2007/01/09/password-protecting-single-file-ht
access.html
<http://johnbokma.com/mexit/2007/01/09/password-protecting-single-file-h
taccess.html> 

 

This way, even if an attacker manages to dump the database to a page and
read the management password, they will still not be able to log in to
the admin section because they won't be able to get past the browsers
authentication dialogue (as this uses a different password not stored in
the database at all).

 

Another thing you can do to make the process of dumping database tables
a little more difficult for a would be attacker is to use a unique table
name prefix, this will make it harder for an attacker to guess the
correct table names if they find an SQL injection vulnerability
anywhere.

 

 

Let me know if this helps, or if you think I'm wrong, I have been know
to be wrong many times in the past!

 

Dale Davies - VLE / E-Learning Developer

Liverpool Community College, CIS Dept, Bankfield Road, Liverpool, L13
0BQ.

Web: www.liv-coll.ac.uk <http://www.liv-coll.ac.uk> 

Tel: 0151 252 3238

 

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Matt Lingard
Sent: 11 August 2011 15:46
To: Xerte discussion list
Subject: [Xerte] Security concern

 

The systems manager at my institution has raised a security concern
regarding the password for the admin account for our Xerte Online
toolkit.

I'm told that the password is clear text (ie the characters are visible)
in a table in the database called 'sitedetails' (as it is the
management.php interface). He suggests that this isn't good practice.
Has anyone else had any concerns raised about this?  We run other
services on the same server.

I'm not particularly technical myself, just trying to ascertain the
level of risk.

thanks,
Matt

-- 
Matt Lingard,
Learning Technologist
LSE




This message and any attachment are intended solely for the addressee
and may contain confidential information. If you have received this
message in error, please send it back to me, and immediately delete it.
Please do not use, copy or disclose the information contained in this
message or in any attachment. Any views or opinions expressed by the
author of this email do not necessarily reflect the views of the
University of Nottingham. 

This message has been checked for viruses but the contents of an
attachment may still contain software viruses which could damage your
computer system: you are advised to perform your own checks. Email
communications with the University of Nottingham may be monitored as
permitted by UK legislation. 


---------------------------------------------------------------------------------------

Please consider the environment before printing this email.

---------------------------------------------------------------------------------------

This email and any attachments are confidential and intended solely for the use of the individual to whom it is addressed.  Any views or opinions presented are solely those of the author and do not necessarily represent those of Liverpool Community College or associated companies.  You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient.



The message content of in-coming emails is automatically scanned to identify Spam and viruses otherwise Liverpool Community College does not actively monitor content.  However, sometimes it will be necessary for Liverpool Community College to access business communications during staff absence.



Liverpool Community College has taken steps to ensure that this email and any attachments are virus free.  However, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Liverpool Community College for any loss or damage arising in any way from its use.

---------------------------------------------------------------------------------------









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20110812/8788b592/attachment.html>

More information about the Xerte mailing list