Notice: CMSB v2.62 Beta 1 (April 29th, 2014)

26 posts by 8 authors in: Forums > CMS Builder
Last Post: June 27, 2014   (RSS)

  • Archived  

By Dave - April 29, 2014 - edited: April 30, 2014

Hi everyone,

We've just released v2.62 beta 1 (beta list members will get an email with a download link shortly).

The major new feature are:

  • Over 20 new security enhancements and security features
  • Security: Added new "Security Settings" section under: Admin, General Settings
  • Security: Custom generated "Security Tips" for the current server and connection are now displayed in red under "Security Settings".  Basically you just do what it says and it will help you "lock down" your server.  Tips appear when needed and disappear if you've implemented them.

Also we're moving to a new directory structure that looks like this:

/cmsAdmin/
/cmsAssets/
/cmsUploads/

You don't need to move your uploads if they're already in another folder, but this will be the default for new installs.

If you're not already on the beta tester email list and you'd like to help beta test (you must own at least 1 CMSB license) you can sign up here: http://www.interactivetools.com/news/manage.php

Please post any feedback, questions, or bugs you find! Thanks!

Thanks! :)

Dave Edis - Senior Developer
interactivetools.com
  • Archived  

By gversion - April 30, 2014

Hi Dave,

I'm really pleased to hear you are ramping up the security.

Out of interest, can you explain the thinking behind the new directory structure please? And what will each folder will be used for?

Thank you,

Greg

  • Archived  

By KCMedia - April 30, 2014

Dave here is a screenshot of the uploads fields that a new clean install setup for a new install very strange.

Thanks



Craig

KC Media Solutions

www.kcmedia.biz
  • Archived  

By Djulia - April 30, 2014

Hi Dave,

It seems that the Flash Uploader function does not function.
The activation or desactivation of the option in general settings does not have any effect.

Is it possible to modify the value of CMS_ASSETS_DIR/CMS_ASSETS_URL ?
I would like to use a particular folder.

Thanks! :)

Djulia

  • Archived  

By Djulia - April 30, 2014 - edited: April 30, 2014

[edit]It seems that the Flash Uploader function does not function.

In fact, there is an error 404 on the file uploadify.swf

The variable CMS_ASSETS_URL uses the value of Program Directory.

  • Archived  

By Dave - April 30, 2014

Hi Greg, 

Out of interest, can you explain the thinking behind the new directory structure please? And what will each folder will be used for?

Sure, no problem.  The original intent is to prevent path disclosure of the admin folder.  Here's some background for anyone who is curious.

We're being asked to respond to more and more security audit reports, a web developer will do a website for a bank or a large corporation and then that company will order a 3rd party security audit, and the security company will produce a very large and nicely formatted report highlighting "potential" security risks, usually as low, medium, or high or using a color code system.  Some of the reported issues are extremely trivial, such as a full page write-up and "low warning" on an individual stray readme.txt left behind from Apache or something, or another full page for a leftover test.php file with no content.  And other times they have a few good suggestions.  Removing stray files (as an example) is a good practice, but doesn't pose a security risk if they don't contain code.

The end-clients (the corporations) want a response on any issues and don't really understand, and the web developers don't usually know what to say, so they pass it on to us with a request to address any "medium", "orange", or "red" risks, and we've explained it enough times that we've decided the simplest path is just to remove or modify anything in the software that could even be slightly perceived as a security risk or potentially justify a page in these reports.  It will just save everyone time moving forward.

So with the original /cmsAdmin/upload/ directory structure, anyone looking at the path to an upload could guess /cmsAdmin/ is a cms admin folder where the program might be.  They can't login without a password, but they'd know it was there.  This is called path disclosure and best practices are to obscure or hide as much of this information as possible, even though the design of the software should prevent access even if you knew all the paths and locations of files.  So we're changing the paths so future installations can't be flagged as disclosing the path of the admin folder.  No current sites are at risk, but that's why.  Here's the breakdown:

/cmsAdmin/ - The cms admin files live here, you can rename it on install for better security, but don't rename existing sites or you'll break your include code on the viewer pages.
/cmsAssets/ - Just holds the /3rdParty/ folder right now, things like jquery and tinymce, etc.  This will allow us reference jquery on code generated pages without having the path to jquery reveal the /cmsAdmin/ folder
/cmsUploads/ - This is where the uploads from the CMS will go.

Now, one potentially more serious issue we are addressing is cross-site request forgery (CSRF) attacks, that's where someone who knew the path to the admin.php script, and the email of a cms admin, could potentially trick an admin into clicking or requesting a link that would perform an action in the CMS with the admin rights.  This would require the admin was logged in to the CMS.  

So this update is a mix of enhancements to improve security across the board, and to reduce even trivial items that might get reported in a security audit and potentially alarm clients (or just take up time).

Hope that helps, let me know any questions.

Dave Edis - Senior Developer
interactivetools.com
  • Archived  

By Deborah - April 30, 2014

Hi, Dave. I'm pleased to know there are enhanced security features!

I performed a clean install of the beta and have experienced the following:

-----

I think it was after the initial login to the admin I saw: "Upload Folder Url must be the web path only without a domain (eg: /uploads/)

The program automatically entered the url and install directory, as: http://www.mydomain.com/myinstalldirectory/../cmsUploads/"

But, I think it will want to indicate this instead: /../cmsUploads/'

-----

Security Settings: As advised by Security Tips, I renamed admin.php after install and then logged in with the new file name. (Could I have or should I have renamed this page prior to install?) It seems everything was functioning after logging in with the new admin URL except that I wasn't able to gnerate page code. After renaming the page, the code generator gives me this error:
"Forbidden You don't have permission to access /cmsb-beta/admin-uniquefilename.php on this server....."

-----

That's as far as I could get today, but please let me know if there are incremental beta updates and I'll reinstall and test again.

~ Deborah

  • Archived  

By Dave - May 1, 2014

Thanks everybody for the great feedback and beta testing!  I'm going to get a second beta out shortly that addresses all the issues mentioned.  Stay tuned!  Thanks.

Dave Edis - Senior Developer
interactivetools.com
  • Archived  

By jenolan - May 5, 2014

Hiya Dave,

Sorry for the delay in responding to this but, changing form one directory in the root of the system to three is suboptimal. One of the things that becomes very difficult with working on people's sites is the amount of dross (ie files and directories) splattered all over the place.

The name of the app is cmsBuilder so the structure should be something like...

/cmsBuilder/Admin/
/cmsBuilder/Assets/
/cmsBuilder/Uploads/

With the option to rename /cmsBuilder/ to just /cms/ this still gives you the same result for the admin folder not being loaded for non-admin requests but also only one directory in the root of the site which is really preferable I think, it means that all of the cmsBuilder stuff is still based (default settings) in one base directory.

Cheers,
Larry

---
<?= "Jenolan(Larry) :: Coding Since 1973" ?>
Peace and Long Life