typo3 & security @ drupal meetup

inspiring people to

share.

Drupal-Austria & WordPress Vienna MeetupTYPO3

Inspiring people to share

Agenda

✓ About TYPO3

✓ What does Security mean?

✓ Knowing the enemy

✓ Pitfalls

✓ Best practices

✓ TYPO3 Security Team



TYPO3 family

✓ CMS born at 1998 by Kaspar Skårhøj

✓ Flow 1.0.0 2009

✓ Neos 1.0.0 2013

TYPO3 Usergroup Austria (TUGA)

✓ www.tuga.at

✓ 1x/month Linz <> Vienna

www.tuga.at



Georg Ringer

✓ TYPO3 developer user since 2005

(first extension still in production!)

✓ TYPO3 CMS core developer

✓ Member of the TYPO3 Security Team

✓ working at Cyberhouse Gmbh (Linz, Vienna)

✓ proudest father since 14 months



What does Security mean?

✓ Absence of potential damage

✓ Protecting information

✓ Unauthorized access

✓ Unauthorized modification

✓ Loss



CIA Triad

What does security mean?

Integrity

InformationConfidentiality Availability



Characteristics of security

✓ There is no absolute security

✓ An environment is only as secure as it’s weakest point

✓ Security is an investment

✓ The efforts for security must be proportianal to the potential damage

✓ A system can be called secure, if the effort of compromising it are way

higher than the possible gains.




Security is relative

✓ Security depends on your needs/kind of information

✓ Security depends on a certain point in time

✓ Security needs to be constantly adapted and improved




Security is a process,

not a product

(Bruce Schneier)



Knowing the enemy



Different motivations

✓ Money

✓ Influence

✓ Fame

✓ Fun

Knowing the enemy



Different proceedings

✓ Automated attacks

✓ Targeted attacks

Knowing the enemy



Security problems

✓ XSS

✓ CSRF

✓ SQLi

✓ Header injection

✓ Code injection

✓ Insecure unserialize

✓ ...

Knowing the enemy



Best practice

✓ Every request is an attack as long as the opposite is proven

✓ User input is untrustable

✓ User input needs to be validated and encoded and escaped right before

the output

✓ Encoding and escaping depends on the context

✓ Seperation of concerns



What is user input

✓ $_REQUEST ($_GET, $_POST; $_COOKIE)

✓ $_FILES

✓ $_SERVER

✓ Filenames

✓ External services

✓ Editors are users!

Best practice



Seperation of concerns

✓ Security issues are bugs

✓ Clean code leads to less bugs

✓ Test driven development

✓ Leave security to security code

Best practice



TYPO3 Security Team



TYPO3 Security Team

✓ Responsible disclosure policy

✓ One communication channel ([email protected] with OTRS)

✓ TYPO3 Core

✓ Handling security issues

✓ Pre-Announcements for critical issues only

✓ TYPO3 Extensions

✓ Handling security issues

✓ Communication

✓ Talks

✓ Awareness of security

mailto:[email protected]



Report by

mail

Mail to

reporterCheck if valid

Contact

author

No responseResponse

with patch

Check patch

Indivudual

Sec. Bulletin

Bulletin!

Collective

Sec. Bulletin

Author

uploads

extension

We upload

extension

Publish

bulletin on

typo3.org

Set old

version as

insecure

Send mails /

twitter

Get a

coffee/break!

TYPO3 Security Team

Processing a report of an extension



Report by

mailCheck if valid

Fix with the

Core Team

Bulletin!

Publish

bulletin on

typo3.org

Send mails /

twitter

Get a

coffee/break!

TYPO3 Security Team

Mail to

reporter

Processing a report of the TYPO3 core

Release new

version



Questions? Thanks!



Thanks to

✓ Helmut Hummel as the slides are based on his various presentations.

✓ Cyberhouse GmbH www.cyberhouse.at

✓ the awesome TYPO3 community

http://www.slideshare.net/helhum

www.cyberhouse.at

inspiring people to

share.

typo3 & security @ drupal meetup

Technology