[kevinharper]

Has anyone had any problems with hackers? What are best practices for the security-conscious, besides strong passwords?

[cptr13]

Kevin.

I know nothing about security. Opencats is a l/wamp application, so I'm sure there's tons of information out there on general security.

Also, RussH is a sysadmin. You might private message him to get his thoughts.

But, everything that is web facing has vulnerabilities.

[tmarsh3]

Hi. Total Opencats noob here. However, I do have background in IT security and share the same concerns.

I'm implementing Opencats on my shared hosting provider, and have gone through extensive security scans and tests in order to make sure I'm not going to cough up user information or personally identifiable information due to a breach. In general, the app has passed all checks and scans, with only one caveat identified by the tinfoil security scanner. Note, I did make modifications to my Apache config, to change a number of security headers. Opencats survived all of those changes and is still working for me.

The one significant security flaw I may have uncovered is Cross-Site Request Forgery (CSRF) exposure. This is on all of the various input forms, especially the login forms. I am still reviewing the mountain of PHP and JavaScript code behind the pages so am not sure if this is a false positive. Details of CSRF exploits and recommended fixes are here: https://en.wikipedia.org/wiki/Cross-sit ... st_forgery.

From what I see, the team is doing a pretty good job. But I am not an expert or ethical hacker. For the CSRF issue, I see a random token value set in the CATS cookie, but I have yet to find the code that validates it every session. I didn't see a header with it either, so if it's cookie only, then there is a vulnerability as the cookie can be spoofed. If the code IS there though and I haven't found it, this is a false alarm. If not, then it's an opportunity for future security improvements.

Perhaps someone from the development team can chime in here.

[RussH]

Hi guys,

thanks for taking the time to evaluate OpenCATS.. lets take them one at a time.

Firstly - security measures; same as any web-facing app. Check your permissions. Check PHP. Check that you cannot upload executables. Check your MySQL permissions. Have a good htaccess file in place on your public facing website.
Personally I'm more paranoid and I don't enable the career portal - I use the opencats wordpress plugin to display a feed from our opencats instance. Probaby overkill, however I don't want to enable public access to any part of my main app server.

Secondly cross-site scripting - If you have a particular issue you think could be considered a security concern, please post it over to the github project as an issue (link's in my footer) and the dev's are usually quite good at getting back to you quickly. However all the opencats CI builds also get a codacy check which includes some automated XSS checks.