XSS and MySQL Injection
Vanilla has been tested against various automated MySQL injection and cross-site scripting (XSS) attack vectors.
Current Measures
- Stripping of all MySQL input values
- Apache .htaccess files in all private directories
- Logging of admin audit trail
- Session-based persistent security checks for admin pages
- AJAX hardening via session validation
- Backup feature for all database tables
- Core Apache directives backup/restore
- File and folder name sanitization
- User 'jails' for directory listing feature
- AJAX file management locked to content folder 'jail'
- Password-protect pages via server-side method
- Salted hash encryption of user passwords
- Custom error pages catch attempts to index directories
Be Aware!
Website security is something that should never be taken for granted, even with a system that has security mechanisms in place. It's certainly not an area to be blasé about; if you generate badly scripted and insecure PHP pages or sidebars yourself then it's down to you to secure them. See Strengthening Vanilla's Security for more information about securing your Vanilla CMS environment.