CMSimple 4.5.2 V CMSimple XH

[mikey]

The recently closed thread did bring up some seriously valid points. ( viewtopic.php?f=2&t=8488 )

Apart from the obvious personal ideas ( of which i have many ) , the most important note for users of cmsimple , would be security.

So, just how secure is your website, for your users.

CMSimple 4.5.2 V CMSimple XH

1. Do you keep your website up to date with latest patches ?
2. Are all plugins used, regularly updated ?
3. Do you have a solid forum support (24 hrs) ?
4. Does my website adhere to the latest threats, and updated accordingly ?

So, the only question you need to ask your website provider / designer is, " Are there current vulnerabilities in my website code that could affect my website ? "

These are the most important things to remember when not only setting up a website, but having the constant support you will surely need going forward.

On a final note, CMSimple 4.5+ IS actually a form of XH, let's not forget that

So time to ask your website designer, is MY site as secure as it can be !

[Gert]

Hallo Holger,

jetzt wäre es doch mal an der Zeit, die von Dir angekündigten "härteren Moderationswerkzeuge" anzuwenden.

Die meisten CMSimple_XH User wollen diese Diskussionen hier nicht. Sie wollen hier über CMSimple_XH diskutieren, sie interessieren sich nicht für das Original CMSimple, und sie wollen keine Beleidigungen lesen hier im Forum. Es sei denn vielleicht, wenn ICH beleidigt werde, aber das ist die Minderheit.

Den von Mikey verlinkten Thread kannst Du auch gleich komplett löschen, cmsimplewiki.com ist wieder editierbar - Thread gegenstandslos.

Schon lustig bei Euch - der eine Admin beendet eine entgleiste Diskussion, der nächste macht an anderer Stelle munter weiter ...

Gert

[cmb]

jetzt wäre es doch mal an der Zeit, die von Dir angekündigten "härteren Moderationswerkzeuge" anzuwenden.

Ich kann an Mikeys Post eigentlich nichts erkennen, was eine Moderation erfordern würde. Das einzige, was ich nicht optimal finde, ist die konkrete Gegenüberstellung von CMSimple 4.5.2 und CMSimple_XH. Letztlich betreffen die Hinweise alle Versionen/Varianten von CMSimple (und eigentlich sogar Web-Applikationen im allgemeinen). Da spielt das Thema Sicherheit eben eine wichtige Rolle. Vor nicht einmal zwei Jahren hat das BSI eine Sicherheitsstudie Content
Management Systeme veröffentlicht (auch CMSimple wird darin erwähnt, wenn auch nur in einer Statistik am Rande), was wohl kaum erfolgt wäre, wenn das Thema nicht relevant wäre.

Den von Mikey verlinkten Thread kannst Du auch gleich komplett löschen, cmsimplewiki.com ist wieder editierbar - Thread gegenstandslos.

Wenn alle erledigten Threads zu löschen wären, dann wäre viel zu tun, und viel historische Information wäre verloren. Einige der offensiven Posts sollten vielleicht tatsächlich gelöscht oder moderiert werden, aber ich frage mich, ob das unter http://cmsimple.org/forum/ auch geschehen würde. Beleidigungen und vor allem falsche Behauptungen gibt es dort zu Hauf zu lesen.

[mikey]

and wow ! so a thread like this, with normal replies should prevail in a forum

my main context, is security !

given that gert has replied in my thread, please answer my main concern

is cmsimple 4.5+ secure ?

forget all other posts, somewhat negative for all other reasons, only users need to be caring about their website

will your fork of cmsimple be secure, like this forums official release of XH

mikey

[mikey]

i'm also over this.....

One simple question, that can be answered by both versions coders !

1. GERT ? is your version of cmsimple 4.5+ secure and up to date with all known security issues ?

2. XH Coders ? is your version of cmsimple XH secure and up to date with all known security issues ?

I think users would like to know

This is the only reason i posted this thread

Edit + : and yes this forum is moderated at a much higher level than my ADMIN status, however this question is worthy

[cmb]

XH Coders ? is your version of cmsimple XH secure and up to date with all known security issues ?

I'm not aware of any vulnerabilities of CMSimple_XH 1.6.6 or the bundled plugins and templates. That doesn't imply that CMSimple_XH 1.6.6 is secure, because there might be unknown vulnerabilities, but I'm sure the developers would fix vulnerabilities in a timely manner, if they will be found. The most recent vulnerability had been detected on March, 5th, and CMSimple_XH 1.6.6 with the respective fix has been released March, 15th.

It might be regarded as a security issue, though, that we don't strictly recommend HTTPS for back-end access and encrypted FTP transfer, and that the version.nfo files are not accessed via HTTPS. However, to my knowledge the former is common for many Web CMS, and users are free to activate HTTPS on the servers (requires a certificate, of course) and can use FTPS. The latter is not optimal, but it's not immediately dangerous, because the worst thing that can happen would be a MITM attack pretending up-to-date versions, even though updates would be pending. But then again, a user could simply turn off the update check at all.

[Hugorm]

Does any of you have or know a tool or a toolset which can do test for all vulnerabilities or are you just talking 'hearsay' (Othher specialists found....)?
(It would be nice to have a tool calling a site and reporting back known issues and potentional riscs [a hacker-tool for testing] - without actually doing the attack).

Does any of you know have to find out whether the vulnerability is due to CMS or server supplyer?

In my basic training I was told: 'No IT-system is ever secure - keep back-ups!' - but that may not be the case with CMSimple?

Regards
Hugo

[Tata]

'No IT-system is ever secure - keep back-ups!'

I just read it and wanted to add my opinion. You probably remember my bad experience with hacked websites in the past. But what is spread nowadays around the hacking, attacks, security and vulnerabilities seems to me too paranoic.
Hugorn is right. No reliable security is real. One has realize that everything the man has found around (wooden stock, stone, fier, wather, wind, stone, etc.) was firt used to help the men. The other day it was used for attacks, destruction etc. The same way it is with all programs, systems etc. As long as one will look for vulnerabilities and holes, the men with other attitudes will look for the ways how missuse things or how to overcome the holes.
Security? 100% yes. But, please, no paranoya.

[cmb]

Does any of you have or know a tool or a toolset which can do test for all vulnerabilities or are you just talking 'hearsay' (Othher specialists found....)?

Well, basically we're not looking for new kinds/types of vulnerabilities (that's something for the specialists), but rather we're looking for already known types of vulnerabilities. I believe there are some tools which are testing for some vulnerabilities, but to my knowledge there are no free tools available suitable for our purpose. It appears that we have to rely on code reviews and on looking out for and analysing strange behavior sometimes reported by others. At least that is how most of the vulnerabilites in CMSimple_XH have been detected so far.

Does any of you know have to find out whether the vulnerability is due to CMS or server supplyer?

That depends on the vulnerability. Most can be clearly assigned to be either a vulnerability in the application or the underlying system (PHP, Webserver), but there may be edge cases where the distinction not so clear.

In my basic training I was told: 'No IT-system is ever secure - keep back-ups!' - but that may not be the case with CMSimple?

Well, security in this case is not only about the lack of vulnerabilities, but also about reliability and robustness. Anyhow, I suggest to make backups of a (CMSimple) website regularly.

Security? 100% yes. But, please, no paranoya.

I suggest that web developers should have a healthy dose of paranoia when it comes to security related issues. It's too easy to overlook even basic issues, otherwise.

[Hugorm]

I understand most of what you are all saying, but then not quite all!

When it comes to specialist developers testing for vulnerabilities I can see multi tools for multi single vulnerabilities.

When it comes to developers for user / customers it would be nice if all known riscs where included in one tool and one test.
Is it worth considering, as an exsample, a plugin or rutine suitable for CMSimple_XH?
Could a start be a updated text file with all known vulnerabilities listed?
Maybe an item under: Security section?