Yii Framework Forum

Request for new security-related features


(Subscriptions) #1

Hello.

This request is not critical, but it would be good to implement.

To enhance security of software based on Yii it would be great to have a possibility to variate design of some Yii-specific UI elements with several configuration options. It will allow to hide the fact that software is developed with use of Yii. Currently, at least 2 UI elements clearly signal about the fact that Yii was used:
a) default captcha font;
b) default design template of application.

I reviewed many websites and often met situations when these default design elements stay as is in production version of software.


(Alexander Makarov) #2

Why would it be more secure without exposing that the website is built with Yii?


(Subscriptions) #3

I’m not security analyst. So, it is just my reasonable guess. I suppose, the less the potential hacker/bot knows about internals of software the less are the probabilities of being hacked. (In fact I came to the idea about hiding internal implementation many years ago when I browsed different websites and found some built with Yii. I just remembered about this tonight.)


(Subscriptions) #4

As you can guess, many companies do not update PHP/Yii regularly on their servers. So, some projects with known vulnerabilities may stay online for a long period of time after vulnerabilities have been fixed in repository of framework. And it is easy to develop bot that scans online websites with a purpose to find those that are built with Yii.


(Subscriptions) #5

Moreover, I suppose there are other invisible elements in code that can be detected by bots and signal about internals of software. They should be fixed too if you will decide to implement this security-related feature.


(Alexander Makarov) #6

Not updating framework is an issue. Exposing that the app is framework-based, in my opinion, is not. We focus on keeping the framework secure rather than hiding the fact that framework is used. That’s classical “security through obscurity”.

Anyway, your list of Yii indicators should then include CSRF-token meta-tag, error pages, pagination widget, JavaScripts.

As for writing a bot, yes, it is possible. I did that checking for YII_DEBUG not turned off in production. There are many websites doing that and some even have debug toolbar with database usernames and passwords.


(Subscriptions) #7

Thanks for response. You know better what is the best strategy for your software. It was just a random idea from my side.


(Alexander Makarov) #8

Thanks for it.


(Alirz23) #9

first of all you can specify the fontFile in captcha class just so you know, default template is a basic bootstrap theme with minimal styles I doubt you can guess it is using yii by looking at boostrap styles.

you can hide what libraries or framework is being used, if your code is vulnerable to other security issue that would not help so I would suggest start by making sure you app code is safe from sql injection most common problem and other basic vulnerabilities etc.


(Lubosdz) #10

Single UI element(s) does not tell anything about site security. E.g. core yii-captcha may be replaced with other “more obfucsable” captcha extension. Generally Yii framework keeps up to standard security level just like other frameworks.

The other issue about debug mode turned on in production is more of design issue than of security since framework does not support reading environment type from some global variable. Developers are prone to forget to turn off debug mode. Other frameworks (ZF, Symforny, Laravel) support reading environment type

  • either from specific environment variable (e.g. $_SERVER[APP_ENV] defined in virtual host)
  • or from DotEnv file

which is more transparent than setting YII_ENV_* constants, while it can be applied to both HTTP and CLI modes. In my experience DotEnv is better approach and should be considered to forthcoming Yii3.