[Xerte] Re: Security concern

Matt Lingard mattlingard at gmail.com
Fri Aug 12 13:28:36 BST 2011 

Thanks for this.  I'll pass it to our Sys Admin.  We'd just been discussing
possibility of password protecting management.php as an precaution!

Cheers,
Matt

On Fri, Aug 12, 2011 at 12:36 PM, Davies, Dale
<Dale.Davies at liv-coll.ac.uk>wrote:

> Hi Matt,****
>
> ** **
>
> I’m no security “expert” but I have plenty of experience with  this sort of
> thing in the past, I guess it is something that gets drummed into you if
> you’re a developer.****
>
> ** **
>
> It is good practice to hash passwords using a strong algorithm before
> storing them in a database, that way if the database is ever compromised and
> an attacker is able to dump the user table they will not be able to directly
> read the passwords.****
>
> ** **
>
> Probably wouldn’t be that difficult to change the management.php script to
> check the hash of the password entered at login against a hashed password in
> the database, rather than just comparing the passwords in plain text.  I
> might take a look into it myself next week if I have time.****
>
> ** **
>
> It may be worth also considering password protecting the file itself at the
> server level, so that if you try to access management.php from your browser
> you will first be presented with an authentication dialogue from the
> browser.  Use a different password for this than you do for the Xerte admin
> page.  See this tutorial for using .htaccess (Apache) to do this...
> http://johnbokma.com/mexit/2007/01/09/password-protecting-single-file-htaccess.html
> ****
>
> ** **
>
> This way, even if an attacker manages to dump the database to a page and
> read the management password, they will still not be able to log in to the
> admin section because they won’t be able to get past the browsers
> authentication dialogue (as this uses a different password not stored in the
> database at all).****
>
> ** **
>
> Another thing you can do to make the process of dumping database tables a
> little more difficult for a would be attacker is to use a unique table name
> prefix, this will make it harder for an attacker to guess the correct table
> names if they find an SQL injection vulnerability anywhere.****
>
> ** **
>
> ** **
>
> *Let me know if this helps, or if you think I’m wrong, I have been know to
> be wrong many times in the past!*
>
> * *
>
> *Dale Davies - VLE / E-Learning Developer*
>
> Liverpool Community College, CIS Dept, Bankfield Road, Liverpool, L13 0BQ.
> ****
>
> *Web:* www.liv-coll.ac.uk****
>
> *Tel:* 0151 252 3238****
>
> ** **
>
> *From:* xerte-bounces at lists.nottingham.ac.uk [mailto:
> xerte-bounces at lists.nottingham.ac.uk] *On Behalf Of *Matt Lingard
> *Sent:* 11 August 2011 15:46
> *To:* Xerte discussion list
> *Subject:* [Xerte] Security concern****
>
> ** **
>
> The systems manager at my institution has raised a security concern
> regarding the password for the admin account for our Xerte Online toolkit.
>
> I'm told that the password is clear text (ie the characters are visible) in
> a table in the database called 'sitedetails' (as it is the management.php
> interface). He suggests that this isn't good practice.  Has anyone else had
> any concerns raised about this?  We run other services on the same server.
>
> I'm not particularly technical myself, just trying to ascertain the level
> of risk.
>
> thanks,
> Matt
>
> --
> Matt Lingard,
> Learning Technologist
> LSE
>
>
> ****
>
> This message and any attachment are intended solely for the addressee and
> may contain confidential information. If you have received this message in
> error, please send it back to me, and immediately delete it. Please do not
> use, copy or disclose the information contained in this message or in any
> attachment. Any views or opinions expressed by the author of this email do
> not necessarily reflect the views of the University of Nottingham. ****
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
> ****
>
> ------------------------------
>
> Please consider the environment before printing this email.
> ------------------------------
>
> This email and any attachments are confidential and intended solely for the
> use of the individual to whom it is addressed. Any views or opinions
> presented are solely those of the author and do not necessarily represent
> those of Liverpool Community College or associated companies. You must not,
> directly or indirectly, use, disclose, distribute, print, or copy any part
> of this message if you are not the intended recipient.
>
> The message content of in-coming emails is automatically scanned to
> identify Spam and viruses otherwise Liverpool Community College does not
> actively monitor content. However, sometimes it will be necessary for
> Liverpool Community College to access business communications during staff
> absence.
>
> Liverpool Community College has taken steps to ensure that this email and
> any attachments are virus free. However, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is accepted
> by Liverpool Community College for any loss or damage arising in any way
> from its use.
>
> ------------------------------
>
>
>
> _______________________________________________
> Xerte mailing list
> Xerte at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte
>
> This message and any attachment are intended solely for the addressee and
> may contain confidential information. If you have received this message in
> error, please send it back to me, and immediately delete it.   Please do not
> use, copy or disclose the information contained in this message or in any
> attachment.  Any views or opinions expressed by the author of this email do
> not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
>
>
>


-- 
Matt Lingard,
Educational Technology Consultant
+44 (0)7801 276 559
http://uk.linkedin.com/in/mattlingard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20110812/d98fed63/attachment.html>

More information about the Xerte mailing list