LunpaCMS Administration section is protected by 2 layers of login. Apache Authentication is used for the first layer protection, and after passing it, users will be asked to provide his/her login credential again for second login process.
To access LunpaCMS Administration section, the user's account should have admin flag turned on. Also, the account shouldn't be suspended. Any user whose account is not 'admin' or in suspended condition can't access Administration section of LunpaCMS.
Suspended flag was introduced as of User Manager v1.69. Any site which was installed before this version should be checked to see if its Apache Authentication option has been upgraded properly. If it hasn't, an admin user can successfully pass the first layer of login while his/her account was suspended. However, he/she can't pass the second layer of login.
Please make sure to have following line in your admin/.htaccess file:
PerlSetVar Auth_DBI_pwd_whereclause "admin = 'true' and is_suspended = 'false'"
Also note that a custom version of AuthDBI is required in order to support password salting. You can download AuthDBI-1.12-PCCC here.
LunpaCMS includes two features to prevent malicious frame and iframe embedding. By default, LunpaCMS sends the X-Frame-Options: DENY
header. Additionally, framebusting javascript is included in main-begin.template
as a fallback.
Suexec gives a shared codebase. Theoretically, these files could be modified and should only writeable by httpd user to avoid casual meddling.
The admin side is double protected. The .htaccess could be overkill, but basically 401 auth gates access to the admin directory in the first place, then scripts run their own cookie auth.
The double protection of the server uses AuthDBI which requires access to the my.cnf file BEFORE the suexec privileges are done, so the file is readable by httpd. This could theoretically allow one user of shared hosting to write a script that reads the other users files. Don't allow untrusted users to write and run arbitrary code.
To reduce potential for attacks on public-facing pages, follow basic security practices. Ensure that all public-facing inputs are stripped of HTML or escaped properly. Check all user input for validity before performing any actions.
<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/website
ServerName www.domain.com
SSLEngine on
SSLCertificateFile /etc/ssl/crt/primary.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
</VirtualHost>
/usr/local/apache/bin/apachectl startssl
/usr/local/apache/bin/apachectl restart
It is strongly recommend to disable directory listings.
<Directory /htdocs/your_site.com>
Options Indexes
</Directory>
Update the option 'Indexes' from the above, so the line would read instead:
Options -Indexes
Passwords in LunpaCMS are stored as SHA1 with a random salt that is different for every user, with one exception. The server-wide master admin user is not salted by default, for ease of server administration. The master password is assumed to be cryptographically strong and maintained by a responsible administrator, making this a safe tradeoff.
Copyright © 2024 Peregrine Computer Consultants Corp. All rights reserved.
About Lunpa, our mascot. Her mother was a hamster and her father was an ill-tempered Chilean M00se. Oddly, neither smelt of elderberries. The artist is Jennifer Lomax. |
Add Your Comment