Best Practices for plugin security? Best Practices for plugin security?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Best Practices for plugin security?

Started by slausen, April 13, 2008, 10:55:23 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

slausen

Hi-

I went through and pulled a list of plugins that I might want to make available in my gallery, but one thing that I am unclear about is the best practice for applying security to plugin functionality...

Is there a general way to, for example, restrict access to certain plugins to users in the Administrator group?

The stats plugin (Francois Keller 1.1.1 version) is a good example. It is a great plugin, but I would not want it to be available to non-Administrators. Some others in this category are File Replacer, onlinestats, Filetypes Editor, minicms. Is there a standard way to apply security to items in the plugins/ directory, so that they are only viewable/accessible/executable by Admins?

From a cursory reading of index.php and several plugins, it also seems like it may be possible for a logged in user to execute any installed plugin (either directly, since the 'plugins/' directory is at the cpg webroot or via the "file=" parameter appended to index.php)

If I am mistaken, it would be great to know. Also, if the best practice is not to run plugins in an environment where security is a concern, that would be good to know also. I guess for some plugins, I could disable them and remove the directories containing the files from the server and only enable them during maintenance and downtimes, but if there is a more straightforward solution, I would prefer that.

Thanks.

slausen

Quote from: slausen on April 13, 2008, 10:55:23 PM
it also seems like it may be possible for a logged in user to execute any installed plugin (either directly, since the 'plugins/' directory is at the cpg webroot or via the "file=" parameter appended to index.php)


I was just doing some further testing on this, and have found that even after uninstalling (via the CPG Plugin UI) the stats plugin, I am still able to execute it by submitting the URL 'http://path/to/cpg_root/index.php?file=stats/stats' as an unprivileged (non-Admin, member of "Registered" group) user.

I checked the _plugins DB table and the stats plugin is no longer there.

I also logged out and logged back in - the Stats link vanished from the menu after the uninstall, but the direct URL submit appears to run the plugin even though it's no longer "installed"

In addition to this being a possible bug, it also seems like a security risk...

Nibbler

It's up to the plugin authors to secure them properly, however being able to access plugins after they have been uninstalled is probably a bug.

slausen

Quote from: Nibbler on April 14, 2008, 12:39:58 AM
It's up to the plugin authors to secure them properly, however being able to access plugins after they have been uninstalled is probably a bug.

Thanks Nibbler, I think I will hold off on the plugins at the moment.

tfischer

MiniCMS works properly only in Admin mode (you can, of course, see the content as a non-admin user).  All the other plugins I use that should be admin-only work properly in that regard.  I've never used the stats plugin so I can't speak to that one, but I wouldn't let one plugin cloud your judgement of all of them -- as Nibbler said it's up the the plugin implementor to do things right.

-Tim