Thread

We just released a new build of ExpressionEngine 1.6.7 that includes some measures to help prevent information disclosure due to residing on insecure server environments, and it got me thinking that it would be a good time to write up a post on web security basics for people new to the subject and as a reminder for pros.

There’s an aphorism from the TV series “Babylon 5”: Understanding is a three-edged sword: your side, their side, and the truth.  In a similar vein comes the title of this blog post.  Web security is a three-edged sword: the server, the software, and you.  Like most truisms, it is self-defining, obvious, and relatively uninteresting because it doesn’t tell you anything that you don’t already know; it’s just wrapped up in pithy phrase.  Perhaps due to their boring “heard-it-before” nature, the truths spoken in such phrases are easily and quickly forgotten in day to day routines or in moments of panic, both times that we as humans tend to run on instinct and auto-pilot instead of giving weighty thought to matters.

Continue reading…

Hi Derek,

Thanks for such an excellent post. Very insightful reading that was.

Best wishes,

Mark

Thanks for EE fixed. This build fixing maybe after my twitter post? 😊

Thanks for the update. I was thinking about upgrading my build earlier this week because I’m still using 20090211. I’m glad I waited.

In addition, I’m thrilled to see the Flash Video mime type added. This was a needed addition to the system.

Looking forward to my upgrade work. 😉

Thanks for EE fixed. This build fixing maybe after my twitter post? 😊

The build update was happening anyway, though your tweet did encourage me to blog about security after a few people asked me about it.  I’m removing the link for now - it would be a pretty rare (and foolish) set of circumstances that would lead to it causing a problem, but there’s no need encouraging exploit attempts.  It’s a pretty selfish and thoughtless way to report security issues in that manner (the poster in that forum, not you).  You should feel free to contact any of us directly with bug / security concerns you might have, as we can’t monitor Twitter as an official channel of supporting our products.

I love the B5 reference. Was that G’kar or Londo? 😊

I love the B5 reference. Was that G’kar or Londo? 😊

I think it was Kosh?  My memory of the series is rather faded, so I’m relying on Nevin, heh.  As he reminded me, Kosh never explained the three edges - Sheridan eventually figured it out and said the full quote.

Heh, I looked it up just after I posted. Yeah, it’s Vorlon. My memory is hazy too. I actually thought it was G’Kar but wasn’t sure. I loved that show. 😊

I tend to watch the series over and over in the background in iTunes while working on stuff.  I tend to like to have TV shows or movies I like, but have seen a lot, so while its entertaining I am not really missing anything if I don’t directly pay attention all the time either.

Now for the geeky part <shakes head>. Captain Sheridan says it to the Vorlons’ in “Into the Fire”, Season 4, Episode 6, the end of the Shadow war…  “Into the Fire”, quite fitting for the topic of your blog post, security in the wilds of the Internet… which is always a trial by fire.

Thanks for a great blog post.

You beat me to it Nevin 😊 Used to love watching that show.

Reference here 😉

I’m not sure I understand why running as www is a security concern. Could you please elaborate?

Please note the rest of the sentence, ‘without additional “jail” type security’. Why is this such a concern? Because it means that other user accounts, either malicious to begin with or subsequently compromised, who have access to the same “www” user may possibly read, or worse, write your files as well. In the former case they can access your db password in config.php (which is really all it takes), in the latter case they could inject malicious code into your index.php etc.

Thanks for the clarification.

I give you my total respect for the month for quoting B5.

And thanks for this great write up 😊

Hi. I just came from a internet security talk yesterday which got me to thinking about EE. So was happy to see this blog.  Just to be sure though…

Does EE sanitize all user inputs found within its own code and modules?  Not PHP we might add ourselves, but product features found within EE itself?

Also, what security concerns should we have with 3rd party module add-ons and such to EE?