Archive for February, 2008

 

What is your version?

A time ago when was asking some stuff on Cake’s IRC :) I heard a question like this:

Is there security holes or potential security risks in CakePHP?

The answer was like this:

This depends mostly on how you implement certain things. Also Cake doesn’t force you to include its signature, even if there exists security vulnerability, it’s harder to find Cake apps by typing “Powered by CakePHP” in Google. (like you can do with, for example, PhpBB)

Note: This isn’t the exact question/answer, just like I remember them. I don’t doubt Cake is secure/stable enough ;)

The first part of this answer is quite obvious – in terms of security, you may use a good tool to create insecure application.

The second part of the answer is quite interesting. That’s normally most opensource products have signature and version included to its public access area. Even if it is removed from template, it still may be available in meta tags or other places. Most popular software (like forum, blog, shopping scripts) has security bugs which require patches or version update. Updates are released on a regular basis, however I suppose there remains a big amount of sites using old versions of software due to different reasons (and thus – still vulnerable).

For example, my WordPress dashboard remainds me once a month about a security update. This requires me to download and install it, so I have to spend on this some amount of time every month. If I run 10 different blogs on 10 different hosting servers I have 10 times more work. That’s because of the version available to anyone. This doesn’t mean my blog becomes more protected from a hack if there is no version available, but in this case it wouldn’t be listed in Google and saying “please hack me”.

Btw, looks like Google tries to protect sites which use vulnerable scripts: this is what I got when tried to search for +”Powered by phpBB 2.0.6..10″ -phpbb.com -phpbb.pl (phpBB sql injection vulnerability, sourse). Yahoo doesn’t do it.

Decision: Site owner should always be well informed about software version, its security holes and ability to fix them, however, in order to make site more protected, there is no necessity to provide anyone with such information.