Task #30733
Include information about kinds of attacks?
| Status: | Closed | Start date: | 2011-10-10 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assignee: | Michael Schams | % Done: | 100% |
|
| Category: | - | |||
| Target version: | 1.0.0 | |||
| Votes: | 0 |
Description
The guide currently tells about the aims and the countermeasures of attacks.
But it does not tell, how such an attack can look like and how it can happen. Maybe it would be an idea to add this, as this gives the user a better understanding of how to prevent this.
- Often the attacker manipulates PHP files on the server. E.g. inside a PHP file (which might often be the central index.php) he inserts something like
eval(base64_decode(JGPerLmejDnWIMskWmYmz...))which is decoded malicius code. - The attackers often gain access to these files via FTP. Stealing FTP credentials can happen by trojans, which may be installed, when the user just visits dangerous sites (gambling, untrustworthy offers for cheap software, porn...) and if he does not use the most up to date version of his browser and/or operating system.
- When a FTP account is set up, it is extremely important to specify the directory, which the user should have access to. E.g. if not configured properly, this can easliy default to the root folder of a TYPO3 installation, so that the user cannot only upload files to
fileadmin/, but so that he can also modifyindex.phportypo3conf/localconf.php. An illegitimate user, who stole the FTP credentials, gains exactly these rights. - Attackers look for code with security issues (e.g. phpmyadmin, forum software, ...)
Associated revisions
[TASK] in several chapters: the use of FTP (and other services that bypass TYPO3) is not recommended (resolves: #30733)
[TASK] chapter "TYPO3 Integrator -> Content elements": "HTML element" and "RTE" clarified (resolves: #31849)
[TASK] chapter "Detect a hacked website -> Leaked credentials" added (resolves: #31851)
[TASK] chapter "Guidelines for Editors -> Notify at login" added (resolves: #31853)
[TASK] chapter "Guidelines for Editors -> Lock to IP address(es)" added (resolves: #31854)
History
Updated by Chris topher over 1 year ago
- Target version set to 1.0.0
Updated by Michael Schams over 1 year ago
- Status changed from New to Accepted
I think I know what you mean in general, but please let me comment on your points above in detail :-)
Often the attacker manipulates PHP files...
Ok, this is the result of an attack and I would entitle this as something like " How to detect a hacked TYPO3 site ". From my perspective this would logically fit into chapter "After an Attack" and yes, it makes perfect sense. Maybe the Security Team has an opinion what the typical "results" of an attack are (I suspect manipulating the index.php file is a very rare case)?
...Stealing FTP credentials can happen by trojans...
I understand what you want to tell the reader but I would argue that this is out of scope of the TYPO3 Security Guide, simply because it is not really TYPO3-related. If we start to explain how an attacker could place a trojan, why old browser versions are insecure or how users should protect their operating systems, we could write a book :-)
So, I would suggest to focus on TYPO3 and everything around it, which brings me to the next point:
When a FTP account is set up, it is extremely important to specify the directory,...
Oh, yes, definitely! I totally agree. I think we covered this in chapter "System Administrators -> File/directory permissions" but I have not explicitly mentioned FTP (or SSH, WebDAV, etc.) protocols. Do you think we should add this or is this clear enough?
Attackers look for code with security issue...
Yes, highlighting this makes sense, too. I think this would fit into chapter "Keep TYPO3 extensions up-to-date". So, we explain what the risk is before reminding the reader to regularly update their extensions.
Updated by Michael Schams over 1 year ago
- % Done changed from 0 to 90
Updated by Chris topher over 1 year ago
Michael wrote:
I would argue that this is out of scope of the TYPO3 Security Guide, simply because it is not really TYPO3-related. If we start to explain how an attacker could place a trojan, why old browser versions are insecure or how users should protect their operating systems, we could write a book :-)
OK, maybe you can then just mention this in a short note in the Introduction.
That way the readers know that we have not forgotten this topic, but that it is intended that things like updating the web browser, the OS and so on are not covered in this manual. :-)
FTP: ... I have not explicitly mentioned FTP (or SSH, WebDAV, etc.) protocols. Do you think we should add this or is this clear enough?
You have already included that: "Secondly, restrict the access to the required resources only (e.g. “fileadmin/images/” or “fileadmin/downloads/”". It is good that way. :-)
Attackers look for code with security issue...
Yes, highlighting this makes sense, too. I think this would fit into chapter "Keep TYPO3 extensions up-to-date". So, we explain what the risk is before reminding the reader to regularly update their extensions.
The idea sounds good.
Updated by Georg Ringer over 1 year ago
still i would love to see something like "FTP is unsecure, don't use it" .. we also tell people to update always their OS.
You have already included that: "Secondly, restrict the access to the required resources only
this is more security by obscurity because since FTP or SFTP connection makes it possible to upload any php shell, no matter if it is in fileadmin or in var/www, difference is not that much
Updated by Michael Schams over 1 year ago
- Assignee set to Michael Schams
Ok, Georg, I got your point. Latest changes will reflect this. The document will recommend not to use any "other service" (such as FTP, SFTP, SSH, WebDAV, etc.) with write access to the web servers' document root directory (and sub-directories) because this would bypasses TYPO3's security measures.
I also said that updating OS and browser versions, etc. is out of scope but realized that I have written something in chapter "General Guidelines: Operating system and browser version". So, this should make you and Christopher happy and I will close this task as resolved at the next SVN submit :-)
Updated by Michael Schams over 1 year ago
- Status changed from Accepted to Resolved
- % Done changed from 90 to 100
Applied in changeset r1080.
Updated by Chris topher about 1 year ago
- Status changed from Resolved to Closed