Welcome Guest, Not a member yet? Register   Sign In
One application for multiple sites, maintainability vs security


I've been posting on this matter before and I've seen that there already exists some other threads as well. But I'm still not sure what is the best way to go here.

My situation in short:

I've developed a CMS system based on CodeIgniter and Ext-JS. I'm quite pleased with it, and I'm now working on a plan to start selling hosted CMS solutions. Right now I own a Virtual Dedicated Server with full root access. My initial plan is to install the application in one central hosting account instead of installing for every user, for sakes of maintainability. And every user would be able to login at domain.com/cms/ through an Alias rule on Apache, but actually running the centrally installed script. When working with databases, this works without any problems, as I just supply the correct login information for the DB based on the user login.

However, part of the CMS, involves uploading files to the website as well. Since the CMS is installed and running in a different account then the target of the files, I run into problems with basedir restrictions. As some people pointed out to me: you can restrict the open_basedir for each client account, but in the end the CMS account can access any account, and therefore creates a security leak.

My question here is not really specific, I know, but I was hoping that there are people on this forum that have been in a similar situation and would shine their light on the matter. How would you guys go about solving this? Keeping in mind maintainability and security.

Again, I'm in the process of gaining information. And I have full access to my server. So even options like running php as a different user or something are welcome.

Thanks in advance for any input.

It all kinda depends I think. For example: will you ever have to deal with clients that will use this hosted CMS solution who would actually try and crack the whole thing so they can mess around with other client's files?

I think you have a good point here .. most of my customers won't even have a clue of these kind of things. On the other hand, the CMS is publicly accessible, with a login of course. So some means of security is definitely necessary.

Does anyone else have any thoughts on this? I'm happy to hear more opinions, to base my decisions upon!

Thanks so far anyway!


Offcourse you'll need a pretty well secured log in, but as for the rest... I think if you protect for the basic stuff, like SQL injection and maybe some decent password hashing etc, you're good to go. Because, even if the CMS is publicly accessible, who on earth would want to hack into some hosted CMS solution website?

Don't get me wrong, I love the idea and I've been thinking of starting my own if money wasn't the issue, but those sites are mostly not really "hack worthy" :p So I don't think you have lots to fear Wink

[eluser]Randy Casburn[/eluser]
i'm thinking here, but off the top of my head the first risk you'll face is a deposited text or other type of file. It will incrementally become an executable script in stages. Even during the course of a month or so. Once that happens, you've potentially become a spam source. This is a fear with any publicly accessible site with a scripting upload capability. But let me re-read your post and think on this.

I'm working on the same project - different name, different objective, different customer base. Same type product design I suppose. Would love to talk some time.


[eluser]Randy Casburn[/eluser]
Quote:the CMS account can access any account,

What privs is the CMS account running with? What group? etc.


@Bramme: Off course you have a fair point here. Who on earth would be interested in spending a lot of time hacking my server. But I don't think that is satisfying enough. If I want to offer a good product to my customers, it has to be secure. To some degree at least. Perhaps enabling doesn't create such a big security threat .. but that's exactly what I'm investigating here now Smile

@Randy: It's always interesting to get in touch with people working on similar projects and see the problems they run in to! Currently my main concern are two things:

- different clients will be able to access each other's files, through the disabled basedir restriction on the CMS account.
- a client might (accidentally) upload a php script, that will damage not only his own data, but the data of other users as well. If the CMS would be installed in the users' own hosting account, with basedir restrictions enabled, he would only inflict his own data. That way, the damage and the responsibility is only for this user.

Currently, on my test server, the CMS account is just a normal hosting account, created by DirectAdmin administration panel. The only difference is that this account has the base_dir restriction disabled, so that it can write in other user's accounts (only if the folders have been set to be writable).

Did you already come up with ideas for the server set-up for the project you are working on?


"different clients will be able to access each other’s files, through the disabled basedir restriction on the CMS account. "

I'd just dynamically make subfolders for every users uploads and then let them only access their folder... Hardcode the folder uri in your cms, protect the actual dirs with a .htaccess and I think your set for that problem.

As for the php scripts: I guess you could scan for php and text files, read them into a variable and scan that variable for possible malicious code. If you found something, first display a warning "Caution: your file might contain malicious code, if anything bad happens to your site you are completely responsible". Then if they press "Okay, upload anyway", you move the uploaded file to their dir and keep it there. If they select "don't upload" you offcourse destroy the file...

Also, what I just thought off: if your users can upload css files, make sure the frontend of your application has a securely set mysql user, that can only do a select few queries and only access their own table.

[eluser]Randy Casburn[/eluser]
@mvdg27 -- I would be fearful of some very simple PHP functons. Such as glob(). Under the configuration as you've described, any user with any CMS account can glob() any other users files, can then readdir(), can fopen(), those files, change the contents, when they are executed who knows what would happen, etc.

Have I misunderstood what you've said?

Quote:As some people pointed out to me: you can restrict the open_basedir for each client account, but in the end the CMS account can access any account, and therefore creates a security leak.


- different clients will be able to access each other’s files, through the disabled basedir restriction on the CMS account.


[eluser]Randy Casburn[/eluser]
@mvdg27 -- I'm confused again why you don't want to use per-user/per-execution base-dir restrictions to prevent the problems I mentioned above?


Theme © iAndrew 2016 - Forum software by © MyBB