Your SlideShare is downloading. ×
Document Template
Document Template
Document Template
Document Template
Document Template
Document Template
Document Template
Document Template
Document Template
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Document Template

467

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
467
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security Plan<br />Version: 3.0Date: 16/11/2009Authors:<br />TitleNameQuality ManagerBrenton Cunningham<br />Reviewers:<br />TitleNameTeam LeaderQuality ManagerSupport ManagerTechnical ManagerKevin RushGreg HaysJustine LeonardSean Rae<br />Table Of Contents<br /> TOC o " 1-3" h z u 1Introduction PAGEREF _Toc246152417 h 1<br />2Operating System PAGEREF _Toc246152418 h 1<br />3Web Server PAGEREF _Toc246152419 h 1<br />3.1Authentication and Access PAGEREF _Toc246152420 h 1<br />3.2Htaccess PAGEREF _Toc246152421 h 1<br />3.3Htaccess IP address or Domain PAGEREF _Toc246152422 h 2<br />3.4Browser Redirection PAGEREF _Toc246152423 h 2<br />4Database PAGEREF _Toc246152424 h 3<br />4.1MYSQL Accounts and Database Account Privileges PAGEREF _Toc246152425 h 3<br />4.2Database Connection Code PAGEREF _Toc246152426 h 3<br />5Login Scripts PAGEREF _Toc246152427 h 4<br />5.1PHP login scripts PAGEREF _Toc246152428 h 4<br />5.2Username and password authentication PAGEREF _Toc246152429 h 4<br />5.3Password Encryption PAGEREF _Toc246152430 h 4<br />5.4Sessions and control of access PAGEREF _Toc246152431 h 5<br />5.5User Types and Restrictions PAGEREF _Toc246152432 h 5<br />6Web Forms PAGEREF _Toc246152433 h 6<br />6.1Prevention of SQL injection PAGEREF _Toc246152434 h 6<br />6.2Cross Site Scripting in Joomla PAGEREF _Toc246152435 h 6<br />6.3Privacy Statement PAGEREF _Toc246152436 h 6<br />6.4Joomla token flaw PAGEREF _Toc246152437 h 7<br />6.5Security Flaw Fixes PAGEREF _Toc246152438 h 7<br />Introduction<br />The security plan will be used in the creation and maintenance of all aspects of security when creating the MITUP website.<br />The document will illustrate what security measures P.T.S will undertake when handling private data, the current security used in the MITUP site and also to document security standards which will be set when necessary while developing the new project software and systems. <br />Operating System<br />Due to the MITUP site being a web based project, it’s security is independent to any operating security. All MITUP data is stored on a FTP server that is password protected and is only accessible by the System Administrator. <br />Web Server<br />Authentication and Access<br />To access the Mitup web server you must login to the cpanel. Cpanel is a secure site that allows the system administrator to Create/edit preferences, manage emails of the site, backup and manage web server files, view logs, Server security, view domains, manage server databases and manage advance options.<br />To reduce cpanel infiltration access to the site was limited to two users. The two users who have access to the cpanel are our client, David Mackieson and the Mitup system administrator.<br />Htaccess<br />The .htaccess file that is used by Joomla prohibits:<br /><ul><li>Any script trying to set a mosConfig value through the URL
  • 2. Any script trying to base64_encode data to send via URL
  • 3. Any script that includes a <script> tag in URL
  • 4. Any script trying to set a PHP GLOBALS variable via URL
  • 5. Any script trying to modify a _REQUEST variable via URL
  • 6. Send all blocked request to homepage with 403 Forbidden error!</li></ul>Htaccess IP address or Domain<br />Joomla 1.5 allows a user to be blocked via their IP address. This will allow a user who has been using their account to spam email people or has been abusing their account privileges to be removed and will not allow them to sign up under another account.<br />Cpanel also has an option to block an incoming ip address, this will be applicable if the web server has more than one domain on it. This will stop a user from abusing an account on one of your sites and then after being blocked going to another one of your sites and abusing that site. <br />Browser Redirection<br />Inside all folder directories there is an index.html file which activates when a user access a area that they are not allowed to. This index.html file is a blank page, meaning that if a user did access the area it would not allow them to view any component data.<br />Database<br />MYSQL Accounts and Database Account Privileges<br />The Mitup site runs off one large database, featuring many tables. The only accounts that will have access to this database are the System Administrator, and our client, David Mackieson. These accounts will have full privileges to add, edit and delete data from the database.<br />Database Connection Code<br />The line of code to connect to the database in Joomla is a generic line, which is the same for every website running on Joomla. It does not feature the hostname, username or password, meaning it is not vulnerable to any attacks. It looks like this:    $db =& JFactory::GetDBO;This line is featured in our index.php for our front page template, for the purposes of getting news functions from the database. In our component, Joomla creates its own connection to the database once, without the need for any code, and uses this connection for every file contained within the component folder. This greatly reduces any risks of people attacking our connection code, as it is all hidden in a separate file. <br />Login Scripts<br />PHP login scripts<br />On the Mitup site all login and logout scripts are controlled through the Joomla add-on community builder. Community builder takes the default Joomla user component and increases its functionality and security. <br />Username and password authentication <br />When a username and password is entered Joomla sends this data to the database, it then matches the data entered with the data from the database. If the data entered matches the database data login will be successful.<br />Instead of encrypting the password and then decrypting the password when logging in, Joomla encrypts the entered password and compares the encrypted password with the encrypted password in the database. If the encryptions match then the password is the same.<br />Password Encryption<br />All passwords created for the MITUP site will be encrypted using salt encryption, an encryption type that will be used to encrypt the data. The salt encryption takes one type of output (most cases a password) from a MD5 encryption and adds random bits into the password making the password a double strength password. <br />This restricts a hacker from creating a rainbow table and hacking user’s passwords. The Database Administrator will be the only person with access to these encrypted passwords in case a user forgets their password or decides to change it later on.<br />Sessions and control of access<br />When a user logs in, the system will keep the user logged in until either they click the log out button or the system ‘times out’ the user. <br />The system will also log a user out if they close their current browser, this stops users closing the browser and forgetting to log out and then the next person to use the computer will be able to access the MITUP site using the user’s details. <br />If the MITUP website is open in a tab and the tab is closed but not the browser, then next time the MITUP site is opened the user will still be logged in. <br />The user also has the option to click ‘remember me’ before logging in, this will remember the users username and password allowing them to click login straight away without entering their details.<br />User Types and Restrictions <br />Each user type has access to different parts of the site, for information about page access for each user refer to section 4 of the website design doc.<br />Web Forms<br />Prevention of SQL injection<br />SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.<br />To reduce SQL injection P.T.S will make sure that all data fields will only accept the type it is requested to reduce insertion of SQL queries into fields, allowing hacker’s access. <br />We have tested many aspects of SQL injection and have found that Joomla along with community builder offers a great deal of protection against code injection in the selected fields. The login screen does not accept the admin# user or the ' or 1=1 - - injection in the password field<br />Cross Site Scripting in Joomla<br />Cross site scripting, also known as HTML or JavaScript injection, involves inserting scripts into forms on a website, usually with the intention of stealing user's cookies. While Joomla has many security features to prevent this, there is still some vulnerability.If using an older version of Internet Explorer (before IE7), images are vulnerable to attacks. Internet Explorer can read some images to actually be HTML pages, which means that malicious JavaScript could be placed inside the image comments, and ensuring the image still displays, could be run without others knowing. This can be prevented by stripping the HTML from the image metadata.We will be installing Joomla version 1.5.14 for the Mitup site, which has the majority of known security flaws fixed. This includes the known vulnerable points for XSS attacks.<br />Privacy Statement <br />All members must sign a privacy statement outlining all handling of confidential data. This will reduce the risk of private data leaking out and becoming available to the public. This includes spammers who would have access to all MITUP users email address to spam and send dangerous material. <br />Joomla token flaw<br />In earlier versions of Joomla 1.5, there was a flaw that allowed a hacker to change the URL of the website. When changing the URL Joomla asks for a token for this user, all the hacker has to do is put ‘in a token box and click submit, and it would allow the hacker to input a new password for the admin login. This meant that hackers could gain access to administrator back end section and have access to both private user data and editing options for the whole site. This would include articles, pages, images and the ability to change the administrator password locking out the actual site administrator. <br />Security Flaw Fixes<br />As there is continuing development of Joomla, there will be continuous updates making it better, safer and more secure, reducing the risk of website hacking. The MITUP site is recommended to continually update its version of Joomla to make sure that all security flaws are fixed and up to date. <br />

×