General discussion of OpenCATS

Moderators: RussH, cptr13

Forum rules: Just remember to play nicely once you walk through the door. You can disagree with us, or any other commenters in this forum, but keep comments directed to the topic at hand.
User avatar
By kevinharper
#3355
Has anyone had any problems with hackers? What are best practices for the security-conscious, besides strong passwords?
User avatar
By cptr13
#3356
Kevin.

I know nothing about security. Opencats is a l/wamp application, so I'm sure there's tons of information out there on general security.

Also, RussH is a sysadmin. You might private message him to get his thoughts.

But, everything that is web facing has vulnerabilities.
User avatar
By tmarsh3
#3383
Hi. Total Opencats noob here. However, I do have background in IT security and share the same concerns.

I'm implementing Opencats on my shared hosting provider, and have gone through extensive security scans and tests in order to make sure I'm not going to cough up user information or personally identifiable information due to a breach. In general, the app has passed all checks and scans, with only one caveat identified by the tinfoil security scanner. Note, I did make modifications to my Apache config, to change a number of security headers. Opencats survived all of those changes and is still working for me.

The one significant security flaw I may have uncovered is Cross-Site Request Forgery (CSRF) exposure. This is on all of the various input forms, especially the login forms. I am still reviewing the mountain of PHP and JavaScript code behind the pages so am not sure if this is a false positive. Details of CSRF exploits and recommended fixes are here: https://en.wikipedia.org/wiki/Cross-sit ... st_forgery.

From what I see, the team is doing a pretty good job. But I am not an expert or ethical hacker. For the CSRF issue, I see a random token value set in the CATS cookie, but I have yet to find the code that validates it every session. I didn't see a header with it either, so if it's cookie only, then there is a vulnerability as the cookie can be spoofed. If the code IS there though and I haven't found it, this is a false alarm. If not, then it's an opportunity for future security improvements.

Perhaps someone from the development team can chime in here.
User avatar
By RussH
#3385
Hi guys,

thanks for taking the time to evaluate OpenCATS.. lets take them one at a time.

Firstly - security measures; same as any web-facing app. Check your permissions. Check PHP. Check that you cannot upload executables. Check your MySQL permissions. Have a good htaccess file in place on your public facing website.
Personally I'm more paranoid and I don't enable the career portal - I use the opencats wordpress plugin to display a feed from our opencats instance. Probaby overkill, however I don't want to enable public access to any part of my main app server.

Secondly cross-site scripting - If you have a particular issue you think could be considered a security concern, please post it over to the github project as an issue (link's in my footer) and the dev's are usually quite good at getting back to you quickly. However all the opencats CI builds also get a codacy check which includes some automated XSS checks.

It's essential to keep these synchronized to ensur[…]

Export part in Job Order order search

Same problem as mine. Maybe you're right, I'll che[…]

The error message you're encountering indicates th[…]

Errors restoring mysqldump backup

doesnot work for me