LunpaCMS Whipping your website into shape! Introducing Lunpa, our mascot.  Her mother was a hamster and her father was Chilean M00se.  Oddly, neither smelt of elderberries.


LunpaCMS Security

Access to CMS Administration Section

LunpaCMS Administration section is protected by 2 layers of login. Apache Authentication is used for the first layer protection, and after passing it, users will be asked to provide his/her login credential again for second login process.

To access LunpaCMS Administration section, the user's account should have admin flag turned on. Also, the account shouldn't be suspended. Any user whose account is not 'admin' or in suspended condition can't access Administration section of LunpaCMS.

Suspended flag was introduced as of User Manager v1.69. Any site which was installed before this version should be checked to see if its Apache Authentication option has been upgraded properly. If it hasn't, an admin user can successfully pass the first layer of login while his/her account was suspended. However, he/she can't pass the second layer of login.

Please make sure to have following line in your admin/.htaccess file:

PerlSetVar Auth_DBI_pwd_whereclause "admin = 'true' and is_suspended = 'false'"

Also note that a custom version of AuthDBI is required in order to support password salting. You can download AuthDBI-1.12-PCCC here.

Built-in Security Features

LunpaCMS includes two features to prevent malicious frame and iframe embedding. By default, LunpaCMS sends the X-Frame-Options: DENY header. Additionally, framebusting javascript is included in main-begin.template as a fallback.

Security Notes

Suexec gives a shared codebase. Theoretically, these files could be modified and should only writeable by httpd user to avoid casual meddling.

The admin side is double protected. The .htaccess could be overkill, but basically 401 auth gates access to the admin directory in the first place, then scripts run their own cookie auth.

The double protection of the server uses AuthDBI which requires access to the my.cnf file BEFORE the suexec privileges are done, so the file is readable by httpd. This could theoretically allow one user of shared hosting to write a script that reads the other users files. Don't allow untrusted users to write and run arbitrary code.

To reduce potential for attacks on public-facing pages, follow basic security practices. Ensure that all public-facing inputs are stripped of HTML or escaped properly. Check all user input for validity before performing any actions.

How to Set Up an SSL Certificate

  1. Save the primary and intermediate certificates to a folder on the server with the private key.
  2. Open the Apache configuration file in a text editor. Apache configuration files are usually found in /etc/httpd. The main configuration file is usually named httpd.conf. In most cases the <VirtualHost> blocks will be at the bottom of this httpd.conf file. Sometimes you will find the <VirtualHost> blocks in a separate file in a directory like /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or in a file called ssl.conf.
  3. If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a virtual host for each type of connection. Make a copy of the existing non-secure virtual host and change the port from port 80 to 443.
  4. Add the lines in bold below.
    <VirtualHost 192.168.0.1:443>
      DocumentRoot /var/www/website
      ServerName www.domain.com
      SSLEngine on
      SSLCertificateFile /etc/ssl/crt/primary.crt
      SSLCertificateKeyFile /etc/ssl/crt/private.key
      SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
    </VirtualHost>
  5. Change the names of the files and paths to match your certificate files:
    1. SSLCertificateFile should be your primary certificate file for your domain name.
    2. SSLCertificateKeyFile should be the key file generated when you created the CSR.
    3. SSLCertificateChainFile should be the intermediate certificate file (if any) that was supplied by your certificate authority
  6. Save the changes and exit the text editor.
  7. Restart your Apache web server using one of the following commands:
    /usr/local/apache/bin/apachectl startssl
    /usr/local/apache/bin/apachectl restart

How to Disable Directory Listings in Apache

It is strongly recommend to disable directory listings.

  1. Navigate to your Apache config file (httpd.conf)
  2. Open the config file using a text editor like vi (vi httpd.conf)
  3. Search for the directory section of the file where your website resides, and the Options keyword beneath that. It should look something like:
    <Directory /htdocs/your_site.com>
      Options Indexes
    </Directory>
    Update the option 'Indexes' from the above, so the line would read instead:
    Options -Indexes

Password Storage

Passwords in LunpaCMS are stored as SHA1 with a random salt that is different for every user, with one exception. The server-wide master admin user is not salted by default, for ease of server administration. The master password is assumed to be cryptographically strong and maintained by a responsible administrator, making this a safe tradeoff.


Add Your Comment


(Only a limited set of HTML tags such as <b>, <i>, <u> are allowed. Embedded flash video from Youtube or Vimeo are also supported.)


Copyright © 2018 Peregrine Computer Consultants Corp. All rights reserved.

About Lunpa, our mascot. Her mother was a hamster and her father was an ill-tempered Chilean M00se. Oddly, neither smelt of elderberries.
The artist is Jennifer Lomax.