Download
2013-02-15, 00:10:45
It means do not be an idiot.
Just like when your using your bank site or any other site.
Do not click links blindly, do not click links to your own CMS admin pages.
These would be targeted attacks not drive bys.
The reason these are low, is because you have to be logged in, and we do not have persistant sessions, and we do not have multi users logged in typically, there is 1 admin user, and you only need to log in when you are editing the cms, not always.
There are things we can do to protect against these, and if i had more time or more devs it would be done.
You can see all the serious threats i fixed in 3.2 doign my own security audits, but we are still limited on resources and inheriting this codebase from chris and playing catch up for the most part.
3.2 fixes some of these due to the traversal fixes i already implemented.
We can add output filtering for all user input. Which should have been done anyway to begin with.
We can add refferer checking to all input, I think its restricted to editing pages.
We can add csrf checks to more operations
We can add a better antixss filter, martin wrote ours a very long time ago, and xss evolves alot.
Just like when your using your bank site or any other site.
Do not click links blindly, do not click links to your own CMS admin pages.
These would be targeted attacks not drive bys.
The reason these are low, is because you have to be logged in, and we do not have persistant sessions, and we do not have multi users logged in typically, there is 1 admin user, and you only need to log in when you are editing the cms, not always.
There are things we can do to protect against these, and if i had more time or more devs it would be done.
You can see all the serious threats i fixed in 3.2 doign my own security audits, but we are still limited on resources and inheriting this codebase from chris and playing catch up for the most part.
3.2 fixes some of these due to the traversal fixes i already implemented.
We can add output filtering for all user input. Which should have been done anyway to begin with.
We can add refferer checking to all input, I think its restricted to editing pages.
We can add csrf checks to more operations
We can add a better antixss filter, martin wrote ours a very long time ago, and xss evolves alot.
