Should I continue my Kirby Security Checklist?

https://github.com/jenstornell/kirby-security-checklist

Should I keep and continue development of my Kirby Security Checklist plugin?

  • Yes, it could be nice for me in some project
  • No, I will never ever use that
  • I’m not sure

0 voters

I’m at the same time trying out polls. Maybe we could even have a new category called “Polls”?

2 Likes

do not exactly know what it will check apart from folders and ssl?

I’ve read the posts you added. From that we could check if htaccess protects these pages:

Depending on the custom folder setup it’s possible that they are no longer protected.

Some other things I can think of:

  • Check if Kirby, Panel and Toolkit is up to date. Require some kind of Github + cache function.
  • Check if debug mode is enabled. If it is it will reveal the paths on errors. Should be off on a live server.
  • Check if the user “admin” is added. It’s often use as bruteforce username, at least on WordPress.

Most people think I should continue this plugin and maybe I will. But I need some more votes to see where it leads, like a total of 15 votes would be nice.

I answer: YES please.

With my little knowledge, I have tried last weekend to extend your file template.php using XAMPP on Win10:


<?php
function isHttps() {
  return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443;
}
$remote = remote::get(kirby()->urls()->content());
function mod_rewrite_is_enabled() {
  if (function_exists('apache_get_modules')) {
    $modules = apache_get_modules();
    $mod_rewrite = in_array('mod_rewrite', $modules);
  } else {
    $mod_rewrite =  getenv('HTTP_MOD_REWRITE')=='On' ? true : false ;
  };
  return $mod_rewrite;
}
?>
<style>
  .security table {
    border-collapse: collapse;
    width: 100%;
    box-sizing: border-box;
  }
  .security td,
  .security th {
    border: 1px solid #ddd;
    padding: .5em;
    text-align: left;
  }
  .security th {
    font-weight: normal;
  }
  .security td {
    width: 1px;
  }
  .security p {
    margin-bottom: 1em;
  }
  .security .fa-check:before {
    color: #8dae28;
  }
  .security .fa-times:before {
    color: #b3000a;
  }
</style>

<div class="security">
  <p><em>This checklist is <strong>NOT</strong> complete. It should only be used as a helper.</em></p>
  <table>
    <tr>
      <th><i>Folder listing</i> disabled</th>
      <td>
        <?php if($remote->code == '200') : ?>
          <i class="fa fa-times" aria-hidden="true"></i>
        <?php else : ?>
          <i class="fa fa-check" aria-hidden="true"></i>
        <?php endif; ?>
      </td>
    </tr>
    <tr>
      <th><i>SSL/HTTPS</i> enabled</th>
      <td>
        <?php if(!isHttps()) : ?>
          <i class="fa fa-times" aria-hidden="true"></i>
        <?php else : ?>
          <i class="fa fa-check" aria-hidden="true"></i>
        <?php endif; ?>
      </td>
    </tr>
    <tr>
      <th>Module <i>mod_rewrite</i> enabled</th>
      <td>
        <?php if(!mod_rewrite_is_enabled()) : ?>
          <i class="fa fa-times" aria-hidden="true"> ???</i>
        <?php else : ?>
          <i class="fa fa-check" aria-hidden="true"></i>
        <?php endif; ?>
      </td>
    </tr>
  </table>
  <br>
  <table>
    <tr>
      <th>Apache-Version:</th>
      <td>
        <code><?php echo apache_get_version(); ?></code>
      </td>
    </tr>
    <tr>
      <th>PHP-Version:</th>
      <td>
        <code><?php echo phpversion(); ?></code>
      </td>
    </tr>
    <tr>
      <th>Zend Engine Version:</th>
      <td>
        <code><?php echo zend_version(); ?></code>
      </td>
    </tr>
  </table>
</div>

I am quite sure, that this does not work with cgi-PHP, but my code is as it is (no warranty) …

I want to ask you and the Kirby community, whether such code should be used outsite of the panel too, if the panel don’t starts.

Good luck!

Some ideas in your code I like and some I don’t:

What I like:

  • Apache version. Latest version for a green check.
  • PHP version. Latest version for a green check.

Maybe introduce orange for things that are in the grey areas, like PHP version 7.0 which is not the latest but probably not that dangerous.

What I don’t like:

  • Mod rewrite. It does not feel like a security issue.
  • Zend engine version. Is this used in Kirby?

These things are probably good to know in order to know if the site will run or not but I’m not sure it’s that much about security.

Instead we could have a link to a phpinfo() from the widget for more reading.

The mod_rewrite test won’t work like this, anyway, if apache_get_modules is not available. Checking for an environment variable that you haven’t set first, is pretty useless.

I’d actually make every PHP version green that is green or orange in this list (orange is fine as there are still bug fixes). But please make it a date check for each version, don’t just hardcode versions (if users don’t update your plugin it will display versions as green forever).

What would be interesting: A check for the latest bug fix release in a PHP version (like “latest version of PHP 7.0”). Releases of a specific PHP version that are not the latest one should always be marked red.
I don’t know how you can fetch this information though.

Agree! Maybe the best solution for it is to check this file. The versions not in this file will be red.

http://php.net/releases/active.php

2 Likes

Oh, that’s great! Didn’t even know this file existed.

Unfortunately, in a shared hosting environment, you have very little influence regarding the use of the latest PHP releases of a version :worried:

You have very little influence regarding a lot of the stuff this plugin checks (even more the Apache version!). But there are providers like Uberspace that are very quick at updating PHP. I think users should annoy their providers with this kind of stuff more often if they don’t update on their own.

I agree to

But sometimes it would be helpful on a new server to get this information, if we move a website to this new server.

I think this engine is the rendering machine of PHP. May be it could be useful, but it is not required. We see it in the phpinfo.

But the “phpinfo” should be accessible ONLY for admins, because else it could be a security hole! May be, you call this plugin then something like “health checklist”…

The colored versions numbers of the three Kirby parts depending on the newest version may be also good.

I definitely need to figure out how to disable folder listing.

@bastianallgeier:

How do you think to do

at panel/options?

I suggest to add tooltips for the meaning of the respective color…

I think we had this sort of discussion before.

First of all, such a feature would have to talk to some API to check if there is a new version available, which is something not everybody wants.

Secondly, we don’t want to irritate clients with red warnings in the Panel, when they can’t do anything about it or sort of expect from the developer to update for free.

So definitely, such a feature should only be optional and off by default. There are already version widgets available for the Panel anyway.

1 Like

I agree with @texnixe, especially the second part which fits for at least half of my projects.
So an optional widget to check for kirby updates, if any, and disabled by default.

Thats why i like @jenstornell 's plugin idea. :+1:

1 Like

i agreed with @lukasbestle. the plugin security checklist could at least tell you about the fact that there is a newer stable php version released than currently in use – whether or not it can be installed by provider is secondary imho.

1 Like

I have not started with the next version of this plugin yet.

If you wonder why, I will probably wait for this issue to be solved first 560.

In the meantime I want to update my other plugins. :slight_smile: Some of them are not very uptodate.