Yii Security

Archives Yii 1.0.x Discussions
1

Hi Guys

I have a project about to start and I am intending to use the Yii Framework as it's backbone. I'd like some advice on how to make a Yii application as secure as possible, I'm a little bit of a newbie in this area. The site would have to be as secure as the Presidents Nuclear Bunker under the Pentagon. The main areas are Mysql encryption and security, the site will also require customers to login and therefore sessions need to be as secure as possible.

Any advice would be greatly appreciated.

Chris

2

Quote

The site would have to be as secure as the Presidents Nuclear Bunker under the Pentagon.

Uhm… that might be setting the bar a bit high. The president's nuclear bunker is very expensive to maintain. Perhaps more than your company wants to invest in a web app.

Quote

The main areas are Mysql encryption and security, the site will also require customers to login and therefore sessions need to be as secure as possible.

“Security” is very broad. I recommend you start by looking at . I also wrote a little about Yii’s security mechanisms on this page (though that page is written in the context of comparing Yii with CakePHP and CodeIgniter).

I am very interested in the topic of security and I would be happy to have a conversation about this. But you need to start by thinking about what your requirements are. At a minimum, you need to first ask yourself "what assets are I trying to protect?" and then "what are the threats to those assets?". That's the start of any kind of security policy.

I look forward to chatting about how to make a Yii site uber-secure.

C. I also wrote a little about Yii’s security mechanisms on this page (though that page is written in the context of comparing Yii with CakePHP and CodeIgniter).

I am very interested in the topic of security and I would be happy to have a conversation about this. But you need to start by thinking about what your requirements are. At a minimum, you need to first ask yourself "what assets are I trying to protect?" and then "what are the threats to those assets?". That's the start of any kind of security policy.

I look forward to chatting about how to make a Yii site uber-secure.

Cheers.

3

Thanks for the reply :)

The main aspects that need to be protected is the stored user data, the client has asked me to look into mysql encryption as a way of doing this. I am assuming Yii automatically protects against SQL injection attacks. The site needs to be as "un hackable" and secure as possible. We will be using SSL which covers a lot of areas I believe. They jsut need to make sure that users data is not obtainable by people that shouldn't have access.

I have already built my own Role Based access extension for the CMS and that seems to be working as intend.

I' not sure how much further I can go.

4

Yes, one of the biggest security problems is SQL injection attack. Unless you are directly embedding user input data into your SQLs, your YII application should be safe in this aspect. Internally, Yii is using prepared statements and bind parameters to them whenever possible. You should also pay attention to those safeAttributes() methods declared in your AR classes. They govern how user input data can be massively assigned to your AR models. If there are some sensitive columns (such as permissionLevel) that should NOT be assigned by end user data, you should exclude it out of safeAttributes().

5

Quote

I am assuming Yii automatically protects against SQL injection attacks.

No software can ever protect you against programmer stupidity. All that Yii can do is give you the tools to make it easy to protect your site (and Yii does this very well) but you still have to do it. In the case of SQL injection attacks, you want to look into prepared statements, which are discussed in this page.

Quote

The site needs to be as "un hackable" and secure as possible.

Un-hackable sites do not exist. You have to set realistic goals.

Quote

We will be using SSL which covers a lot of areas I believe.

SSL will protect you against packet sniffers. Nothing more. It will do nothing for SQL injection, cookie attacks, XSS, CSRF, dictionary attacks, or DOS attacks. There is no single product that will magically make you secure. You can't "buy" security. You need to develop a deeper understanding of threats and guard against them as best as you can. To do that, you need to understand the threats to your assets so you can prioritize.

Quote

They jsut need to make sure that users data is not obtainable by people that shouldn't have access.

Ok, let's start with some really broad threats. We can roughly divide threats into three groups:

  1. Bad guys accessing data that they are not supposed to.

  2. Bad guys modifying data that they are not supposed to.

  3. Bad guys preventing good guys from using the service.

How do you feel about these? When you say "I want security", which of these are you thinking of? Are you willing to increase the risk of one in order to decrease the risk of the other?

For example: locking user accounts after 3 failed logins. This is a very effective way to protect against dictionary attacks (which is a "type 1 and type 2" threat) but it makes it really easy for a bad guy to lock out all your users (a "type 3" threat). Given this, would you be in favour or against locking accounts after 3 failed logins?

Notice, this is just one example of one threat. There are dozens.

6

Also consider security around the physical access of the servers, the building that contains, personnel, etc. Security is an on-going process, it does not end.

7

Hello, I have found one interesting thing in controllers. I haven't test it, but it may be a serious hole on website.

For example i have Users table, and users can register on website, but attributes are collected by $User->attributes=$_POST['User'];. So isn't that a vulnerability? Because user can POST me some fields like 'user_level' or 'user_money_balance' and, I think, save() method will save these fields.

I would be very happy if I am wrong…



	public function actionCreate()


	{


		$User=new User;


		if(isset($_POST['User']))


		{


			$User->attributes=$_POST['User'];


			if($User->save())


				$this->redirect(array('show','id'=>$User->id));


		}


		$this->render('create',array('User'=>$User));


	}
8

Your concern is reasonable. Yii uses CModel::safeAttributes() to control which attributes can be assigned in this way. So unless you didn't write the safeAttributes() method correctly, this assignment should be safe.

9

You can call:

http://www.yiiframew…uteNames-detail

To double check which attributes are 'safe' (to see if you wrote safeAttributes() correctly ).