Elgg Security

I was having a discussion the other day with a few co-workers, 2 sys-admins and a project manager, and they asked me my opinion of Elgg.  From a developers perspective I said I thought it was great, but they had 2 main reservations.  One is security, which I'll detail here, and the other is plugin handling, and I'll start a separate topic on that.

One of the sys-admins actually manages a live elgg 1.7 site, with probably 5000 active users and 120 plugins.  He hates it.  Although he declined to say how (or why he hadn't reported anything), he claimed that with no knowledge of admin credentials, he could compromise the site within 10 min.  We were also talking Drupal, as that's the project I'm on, and he seemed to believe that Drupal is far more secure.  Therefore I'm assuming his potential compromise would be Elgg-core-specific.

I'm not entirely sure I believe his claim, but it does make me wonder - what does everyone else think?  I myself haven't had any problems, but I also haven't really done an assessment.  I know that reasonable measures have been taken to prevent sql injection and cross site scripting, but overall, how does Elgg core security compare to Drupal?

(also, while discussing, if there are any security issues pending please don't be specific enough to make such information public, lets be sensible)

  • @Matt Beckett

    Hi, I believe that if he knows how to do it, a good thing would be to report that directly to the elgg core team. 

    As far as I know, elgg is very secure. I've been reading through the changelog and readme files and they covered pretty much a lot of security holes. 

    Elgg is as secure as Drupal. Not everything is perfect, even Sony had a huge security breach at the PSN. 

    Bottom line is that the potential way to compromise an elgg site has to be reported to the Core team, so that they are able to handle it.

     

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • I agree, and he's more than capable of reporting any security issues, which makes me extremely suspicious of his claim.  It was a very pro-Drupal anti-Elgg group at the lunch, I'm just trying to sort out how much of it was just based on the fact that he hated his job and how much could potentially be fact, and how much was pandering to please the rest of the group.

  • I thot he's yr friend !!? Anyway - tell your 'friend' that DhrupDeScoop would like to have his website's URL for a little demonstration.. by someone -- who in the past has been official internal security hacker for a very very large international finance company -- I claim that with knowledge of Elgg, PHP, MySQL, Linux Kernel and a multitude of other technologies over 35+ years in IT - I clam that I could compromise his site within <= 3 mins and bring his site down to below it's knees. And that is totally not a joke at all - mere facts of life when I'm messing around;) I'll do it - just gimme the URL and he'll be crying by sunset..

  • I would push him to provide details to you.

  • [Comment removed at Dhrup's request]

  • Why attack the guy? We don't know anything about him. Either he knows something or he doesn't. I'm very skeptical but content to wait for more information. If he won't provide more information, he's probably just making this up. It's not worth getting excited about at this point.

  • aplogz u r rit.. we/i shud follow own advice.. maybe if firiend loosens up - we may gain info ;-) hope matt can talk him @ sharing... plZ delete/edit my off & rough comments ;-(

     

  • @ Everyone - sorry I didn't want to start anything to make anyone upset, I was just curious as to the opinion of other people who actually know Elgg.  The guy in question isn't around anymore, it was his last day at work and we were out of the obligatory "co-worker's last day" lunch.  I don't know him all that well to be honest, which is why I wasn't able to really guage the sincerity of his claim.  With him no longer on the job I doubt I'll be able to get you any more information on the subject.  The other 2 people at the lunch really have no Elgg experience, but had some pre-existing biases based on fuzzy logic eg.  Elgg hasn't been around as long as Drupal, has a smaller userbase, therefore it's probably less secure.

    Unfortunately I wasn't really in a good position to defend Elgg as I was coming from a developer perspective as opposed to a sys-admin perspective.  I'm not uneducated about web-app security issues, but for the most part I make functionality happen, and leave most of the security stuff to the core API.

    Ultimately my opinion is that Elgg core is most likely on par with Drupal core in terms of security.  I think Drupal has an upper hand when it comes to their module security just because the community takes a much more strict approach to vetting them.  They're pretty brutal actually, complaining loudly even for something as (seemingly) trivial as having your tab-indentation formatted to 3 spaces instead of 2.  Here in the Elgg community pretty much anything goes - there are recommended standards but they're not enforced in any way.  I don't know if that's just due to the fact that it's a smaller community, or if it possibly could (or should) change.

    That's it really...

  • I'm not in a position to compare against Drupal as I don't know Drupal that well. What you want is for a framework to make creating secure plugins easy and I think Elgg does that.

    • Use Elgg's actions and forms? You automatically get CSRF protection.
    • Use get_input() to get user submitted data? You automatically get XSS protection.
    • Use Elgg's data model rather than custom queries? You automatically get SQL injection protection.
    • Use Elgg's sessions rather than a custom cookie? You automatically get protection against some session attacks.

    The approaches that the Elgg engine uses are all best practices (though using prepared statements is cleaner than Elgg's approach of manually escaping parameters).

     

    The quality of plugins in the Elgg community plugin repository is all over the place. I think we do need to make it easier to determine the quality even if it is something as simple as checking the code against Elgg's coding standards.

  • You did now didn't ya ?;-P
    So let's take that now moot point and see what we can figure re: security holes anyways.
    I remember that some (famous) US college has group of senior students doing security vetting
    and so on specifically for Elgg and reporting back to Core Team..
    ```````````````````````````````````````````````````````````````````````````````````````````````````````````````````
    I'm pasting that post's link and content here for those interested :=
    (note the date !)

    http://groups.google.com/group/elgg-development/browse_thread/thread/943f93a6a98e2570/c922d89cab974e16?lnk=gst&q=security+dhrup#c922d89cab974e16
      
    Dhrup     
    Feb 23 2009, 10:24 am

    I came across this interesting reading at Stanford's CS pages :=
        http://crypto.stanford.edu/cs142/projects/5/notes.html
    -- looks like the academics are into some good work regarding security & risks.
    ```````````````````````````````````````````````````````````````````````````````````````````````````````````````````
    Elgg is a free open-source social networking platform. Anyone can
    download Elgg and install it on a web server. The web server needs
    Apache, MySQL, and PHP. However, Elgg used to contain some security
    vulnerabilities that can be exploited, vulnerabilities that have been
    patched. In this assignment, you will exploit some Cross-Site Request
    Forgery (CSRF) vulnerabilities in two different versions of Elgg. The
    below attacks are selected to reflect different potential impacts of
    CSRF vulnerabilities. You will also exploit XSS vulnerabilities in our Elgg plugin.
    ```````````````````````````````````````````````````````````````````````````````````````````````````````````````````
    Identifying vulnerable forms (Everlasting Fame Part Deux)
    * Install your own version of Elgg.
        o Windows: wampserver
        o VMware virtual machines
    * Figure out the defense. Elgg uses secret token.
    * Once you identify the secret token, look for forms without one. Also
    look for links that have side effects without the secret token.
    * You can also look through PHP code for the secret token generation.
    Then you can quickly search if there are vulnerable forms.
    * There are lots of CSRF vulnerabilities in our version of Elgg 0.9.2.
    There are at least two CSRF vulnerabilities in our version of Elgg
    1.2.
    ---- though they do not explain what these vulnerabilities are ;-O

    Tom Wang     
    Feb 23 2009, 7:40 pm
    I am the one who wrote the page you mentioned. It's very intentional
    that we don't list any vulnerabilities publicly so that we don't
    endanger every Elgg installation out there!

    Tom
    ```````````````````````````````````````````````````````````````````````````````````````````````````````````````````