About Security

I take security one of the most important part of a CMS.

Emails and similar personal data

All sensible data is kept encrypted. Current encription and decryption is made possible by MCRYPT library, with cipher RIJNDAEL 128 in CBC mode. Password are NOT encrypted in the same way, and cannot be decrypted.

Password

In the login form, the password field should not be sent to the server. This can happen if the user doesn't enable javascript, which is really a strange manner to navigate in internet this days...

In normal condition the clear password is hashed with the SHA 512 alghorithm and sent to the server. When stored, a random salt is generated and used to do a further hash of the given password. The same salt is later used to verify if your sent password - re-hashed - matches the one in the database.

At this time there's no way to decrypt the stored hashed password. An hypothetical hacker could only use the bruteforce attack to guess your password. This could take years, or decades, provided you used an effective password: don't use "1234" (and similar), "password" (and similar), real words or combination of them. Best is the inclusion of special characters like @ # ù ...

Article editor

By default users with the writing access are blindly accepted and the inserted article content is not parsed in any way (so scripts and any type of link is allowed). Webmaster and administrators are completely trusted. This could be changed creating a plugin ad hoc (htmlpurifier is already installed). This behavior should not raise any risk if the enabled users are thurstworthy.

Encryption key and database

The encryption key is created on the very first setup and stored in a php file. This key can be changed only from logged webmaster users (coming soon).

The database name is randomly generated on the first setup. the name is stored in a php file, like the encryption key. Every other setup will change the name: this greatly protect your database file from being stolen by anyone. An .htaccess file protect your database from being donwloaded (de facto only php and html files placed into the main database directory are reachable by external users).

+

M.B.C. (Nereo Costacurta)

More than nothing, nothing More

Fast and Reliable CMS ever MadeByCambiamentico

Powered By Colibrì
Fast and Reliable CMS ever MadeByCambiamentico
Colbrì Theme ©2016 by Nereo Costacurta
LoginSignin

Contacts

  • A confirmation email will be sent to your email (if provided). We read carefully every message we receive.

Info

Released under GPL v.3 license.

Colibrì CMS by Nereo Costacurta

MadeByCambiamentico!




(BANG!)
Map View