Possible security issue - comments wanted

Posted At : February 29, 2008 4:26 AM | Posted By : Raymond Camden
Related Categories: BlogCFC

Earlier this week I had a discussion with Patrick McElhaney about a possible security issue with BlogCFC. Patrick pointed out that the Pod Manager lets you add any CFM code you want to your pods. Patrick felt this was a danger as a blog author could put malicious code up on their blog.

Now my feeling is that this is no different then the file manager. Also - you have to trust your blog authors somewhat. I mean, if I'm a blog author and wanted to screw your box over, I could always post porn or other damaging material.

While I see the risk - I just see it as more of an edge case. Anyway, you can easily disable the File Manager via an INI setting, as well as disabling the ability for blog writers to change their settings. Scott Pinkston sent me a mod to give the same ability for the Pod Manager. It would completely turn it off - not just the edit ability.

Thoughts?

Comments (12) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 1214 Views
Comments
[Add Comment]
nick tong's Gravatar It's fine if you ask me Ray. As you say they can screw it up other ways. I like this feature.
# Posted By nick tong | 2/29/08 4:39 AM
Scott P's Gravatar just subscribing to comments...
# Posted By Scott P | 2/29/08 5:21 AM
Phil Duba's Gravatar I agree, an ini file setting to turn it off is fine.
# Posted By Phil Duba | 2/29/08 5:42 AM
paul verhoef's Gravatar I think most off the cases that the owner is also the author so no problem there, and if it is not so than there should be trust relationship.
# Posted By paul verhoef | 2/29/08 5:44 AM
Wilgeno's Gravatar The way I see it Ray is that the owner and authorized operators, programmers, authors etc. of any website could post malicious code. As a programmer and security buff working for a small company and very small web business owner I have to act responsibly in order to keep people coming back. I have to make business decisions to trust people to work on my code. We trust that others will do the same. Most of us know where not to go on the web in order stay safe.

There are possible options here. You could create an authorization system for Pods that simply prevents a Pod from being used until it is approved by someone with the proper trust level. You could write security that is so tight that your product becomes cumbersome.

Also, since I am a very new user of (2 weeks or so) blogCFC I do not know if it has roll based logins and access permissions. I didn't see anything that looked like that as I work on the code (I made mods to get blogCFC working with PostgreSQL and BD JX 7.xx). I did see a table that stored logins, but not user types or rolls. It would be possible to create a few predefined user rolls that had certain permissions. This could take a lot of coding depending on the desired implementation. And it could limit the risk to the owner of the blog from an author gone bad.

For myself since I am the only one working on my code I do not need this. I can usually trust myself.

Wil
# Posted By Wilgeno | 2/29/08 7:07 AM
Jake Munson's Gravatar I agree with paul and Wilgeno, the software is open source, which means they can do whatever they want with it anyway, regardless of the pod manager. And I love the pods.
# Posted By Jake Munson | 2/29/08 8:14 AM
Raymond Camden's Gravatar To be clear - I have no intention of removing pods. The proposed change (which Scott P has already written) is to make pod management a boolean that you can enable/disable for a blog.

@Wilgeno: Right now there is only one level of user - a blog author. For v6 I'll probably expand that so you can give people rights to do blog entries, but not touch anything else.
# Posted By Raymond Camden | 2/29/08 8:17 AM
John Edwards's Gravatar I'm new to blog.cfc so if I missed something let me know.

I realize this is a little off topic but since File Manager was mentioned in this entry I thought I would add my suggestion here. Have you considered adding an INI setting for a starting point for File Manager? I trust our editors to post appropriate content but I would rather they not have the ability to add/delete blog application files. I've created a sub-folder under "/blog-name/client" named "userfiles" and made a change to /blog-name/client/admin/filemanager.cfm to be the starting point so no files above that in the directory tree can be modified.
# Posted By John Edwards | 3/14/08 2:19 AM
Raymond Camden's Gravatar That's not a bad idea. Will you remember it further down the 6.0 timeframe?
# Posted By Raymond Camden | 3/14/08 3:40 AM
Sergio Valladares's Gravatar I'm trying to run Blogcfc with oracle, but once I pust any comments to a POst nothing works.

It seems like the GetEm Query is to heavy or something like it. I have several time out errors.

Thanks
# Posted By Sergio Valladares | 5/20/08 3:38 PM
Raymond Camden's Gravatar Sergio, I'm not quite sure how this comment makes sense here. If you want to report a bug, please report it at blogcfc.riaforge.org.
# Posted By Raymond Camden | 5/20/08 4:07 PM
Sergio V's Gravatar Sorry... I'll do that, by the way I fixed it.
# Posted By Sergio V | 5/22/08 5:24 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner