[BlueOnyx:05466] Re: Dealing with /admin URL 'hijacking

James Darbyshire jamesdarbyshire at gmail.com
Sat Sep 25 18:37:33 -05 2010 

Steph,

But what you are suggesting is that security by obscurity is the answer in
this case - which is a dangerous path to follow.

It may be easier for someone to break into the CMS than into the BO backend,
but once they are into BO then they can do everything you suggested, not
only to one site, but to every site on that host.

I don't know how uou run your business, or how the law works in the US, but
here in Australia the client is responsible for the security of what they
install on their website, and the host is responsible for the security of
the server. If a CMS was hacked, I would not be responsible.

Of course the optimal solution would be to use some kind of TLS and
intelligent intrusion detection software on both systems which locks access
out when it thinks an attack is taking place.

Rashid, I suspect you are correct on saying that BO authentication is
probably harder to crack than that of a stock CMS, but the point sound be
that yes an attacker can get into one website and cause havoc, but only
within that CMS on that specific site. Other sites will be unaffected. I
would also hazard a guess that many people are not as vigilant as you or I,
and do not frequently change their passwords.

In short, I don't believe security by obscurity is the answer in either
case, but I would rather the attacker accessed one site only, and not the
server which has access to all.

Regards,

James Darbyshire

Sent from my Samsung Droid™

On 26/09/2010 1:28 AM, "Stephanie Sullivan" <ses at aviaweb.com> wrote:

 I must not concur. That’s not the worst thing. Picture this:



They break into my client’s zencart, oscommerce or CC processor integrated
 cms (as joomla and drupal have plugins/extensions and I have clients using
them). The get into the client’s site and modify the CC credentials to
process using their bogus merchant account. Maybe they put a hack in to
steal their CC numbers. Now you have a security breach that has big legal
implications that you and/or your client have to legally disclose in the US.
You probably have clients screaming at you about bogus charges on their
card. Eventually the site is defaced and their tracks are covered by wiping
most of your database.



Finally your client’s reputation is damaged/destroyed and they are angry
with you and spread the word they got hacked on your platform damaging your
reputation, etc…



I would think it’s far from the worst thing. Of course it may be worse if
you are the client than the hosting company.



                Thanks,

                                -Stephanie





*From:* blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] *On
Behalf Of *James Darbyshire
*Sent:* Saturday, September 25, 2010 10:30 AM


To: BlueOnyx General Mailing List
*Subject:* [BlueOnyx:05461] Re: Dealing with /admin URL 'hijacking





I disagree. Certainly it is not best practise for any admin functions to be
accessible through ...

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100926/e5ee2d00/attachment.html>

More information about the Blueonyx mailing list