Has this vulnerability been addressed (CSRF)?
Permalink
I'm testing C5 for possible adoption by my agency. I am a public affairs type by training so some of my questions might reflect my ignorance.
Our IT department is convinced C5 is more vulnerable than the solution they are promoting (DNN) and I'm trying to convince them otherwise. I saw where the XSS vulnerability was addressed, but I can't find an answer to this one:
http://blackpentesters.blogspot.com/2013/06/concrete5-cms-5612-mult...
-Is this still an issue?
-Is there a forum/blog where these vulnerabilities and solutions are tracked?
-Is PHP more or less open to attack than C-sharp?
Bonus: Has anyone here switched from DotNetNuke to Concrete 5?
Thanks for your help. Remember: Me journalist--speak slowly and use simple words.
Our IT department is convinced C5 is more vulnerable than the solution they are promoting (DNN) and I'm trying to convince them otherwise. I saw where the XSS vulnerability was addressed, but I can't find an answer to this one:
http://blackpentesters.blogspot.com/2013/06/concrete5-cms-5612-mult...
-Is this still an issue?
-Is there a forum/blog where these vulnerabilities and solutions are tracked?
-Is PHP more or less open to attack than C-sharp?
Bonus: Has anyone here switched from DotNetNuke to Concrete 5?
Thanks for your help. Remember: Me journalist--speak slowly and use simple words.
Thanks for the quick reply. I am not completely in charge of the CMS decision, but I'm not done pushing.
VR,
Neal S.
VR,
Neal S.
Here's something that you might find interesting.
We recently (within the last few years) converted a DNN website to Concrete5. It was a movie theater and they used user accounts to maintain newsletter signup lists. When we were asked if we could bring over all these users our first thought was, well probably but we'll have to leave the old users table intact to rehash the passwords. However, after a little bit further investigation we found that DNN uses encryption for their password storage, not one way hashes. I was shocked by this, within a matter of about 30 minutes I had decrypted about 10,000 user account passwords from the database. To me, that does NOT say secure. Granted, one would first have to get access to the db, but this still seems like horrible practice to me. Couldn't tell you if they've changed this behavior in newer versions of DNN or not.
That said, PHP vs C# I would say isn't any more or less secure, they all have dependencies that are prone to vulnerabilities and no programmer is perfect when using the language so sometimes vulnerabilities happen to do oversight or ignorance as well. I'd advise to stick with what you know unless you have a really really good reason to change (other than "security").
We recently (within the last few years) converted a DNN website to Concrete5. It was a movie theater and they used user accounts to maintain newsletter signup lists. When we were asked if we could bring over all these users our first thought was, well probably but we'll have to leave the old users table intact to rehash the passwords. However, after a little bit further investigation we found that DNN uses encryption for their password storage, not one way hashes. I was shocked by this, within a matter of about 30 minutes I had decrypted about 10,000 user account passwords from the database. To me, that does NOT say secure. Granted, one would first have to get access to the db, but this still seems like horrible practice to me. Couldn't tell you if they've changed this behavior in newer versions of DNN or not.
That said, PHP vs C# I would say isn't any more or less secure, they all have dependencies that are prone to vulnerabilities and no programmer is perfect when using the language so sometimes vulnerabilities happen to do oversight or ignorance as well. I'd advise to stick with what you know unless you have a really really good reason to change (other than "security").
Yup, we maintain a presence here for these types of things to be reported
responsibly:http://hackerone.com/concrete5
Nope, PHP is no less or more secure than C#. Facebook and yahoo use PHP, so
does every porn site on earth since the dawn of time. Not to be crass, but
strikes me those guys have more security issues than many.
Planned Parenthood and The Army use concrete5, so if its good enough for
the DoD to approve it...
Additionally we have support contracts so you can get early notification of
any security issues we learn about and hot fixes:
http://www.concrete5.org/support/enterprise/enterprise-sla/...
Nothing's perfect (DNN included) but we're doing a-okay here.
Now all that being said. If your own developers are used to working in
microsoft technologies and now you're asking them to switch to PHP because
concrete5 delivers a more graceful experience to your customers, you are
asking them to put a lot of work into learning something new and they have
a right to be grumpy about that.
best wishes
Franz Maruna
CEO - PortlandLabs Inc