Serendipity Forums

User and developer community
https://board.s9y.org/

security standard of serendipity (using it as a cms)

https://board.s9y.org/viewtopic.php?t=2979

Page 1 of 1

security standard of serendipity (using it as a cms)

Posted: Tue Oct 04, 2005 12:50 pm
by guestuser
hello,
I am just thinking about using serendipity as a cms for a client's website. now I am not sure, whether it's secure enough. A friend told me, that he was using a former version of serendipity (-> not the recent version) and that this wasn't a good idea, because one could find out the database-password, which wouldn't be encoded...
So I wonder, wheter the most recent version is secure enough to use it ase a cms for an enterprise's website. I hope to get some advice.
thanks,
steve.

Re: security standard of serendipity (using it as a cms)

Posted: Tue Oct 04, 2005 4:30 pm
by garvinhicking
Of course, Security in OpenSource software is only as good as its support and you paying attention to that.

The Serendipity Developers have in the past reacted to security issues with new releases in less than 24 hours and announced them on their blog.

Some weaknesses were discovered because of foreign PEAR or other PHP files, which we usually just bundle and use.

All in all I would consider Serendipity a secure application. But nearly every openSource application has had bugs, and you can never promise that no new bugs pop up. If you take the time to check for updates regularly, you should be pretty safe though. As safe, as it can get. :)

About the password issue: It is true that Serendipity stores the password inside a file unencoded. This is because of performance reasons and because Serendipity needs to decode the password at some step; this has to take place on the server, so even if the password were encoded, at some step it is decoded and every hacker who can read the file with the password inside it would already have suffiecient access to the machine to hack any part of the application and decode the password.

Thus, encoding the password for the SQL connection is only security by obscurity, and this has never worked in the past. Instead, you should focus on the webserver configuration and raise all barriers that the file serendipity_config_local.inc.php can only be read by the webserver and nobody else.

If Serendipity runs on a dedicated server without other customers, it is easy to ensure that no body else can read that file. If it runs on a shared server, your server admin needs to make sure (via suExec, open_basedir and so on) that files from other people cannot be read.

If this requirement is met, nobody can easily read your password and it's as safe as it would be, if it were encoded.

Regards,
Garvin
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited