Maximum Security
For the more paranoid, or for a minimum-risk environment, the most secure kind of website powered by Vanilla will be one that:
- Does not have any raw PHP content pages
- Does not have any raw PHP sidebars
- Has friendly URLs enabled (partly masks the fact that PHP is being used)
- If using HTTP authentication, has at least one admin user
- Has an additional password on the user administration area
- Has custom .htaccess directives to block spambots, harvesters, IP ranges etc.
- Contains mimimal or no hacks
- Contains no custom HTML page inclusions
- Does not use FooBank functions or scripts (plain strings and html are totally safe)
Remember - whilst any of these changes will improve system security, they will also mean a decrease in functionality. Used wisely, all of the above can be safely deployed without risk. Vanilla CMS has been tested against many attack vectors including MySQL injection and cross-site scripting (XSS).
List Directories Security
Although the List Directories feature is flexible and convenient, it can also pose a huge security risk if a private or system critical folder is referenced. We've put in a few security checks (see below), but we can't be responsible for human error. As such, use this function at your own risk and with great caution. You have been warned!
Current security checks:
- Recursive folder listings are disabled
- Direct calls to the AJAX back-end will fail with a warning
- Target folders must reside below the content folder, e.g., they must begin with content/
- Attempts to use relative URLs such as ../ and ../../ will result in the user being locked into an empty 'jail' folder
- .htaccess files are always hidden
To override the security measures and allow recursive directory browsing etc., edit the lib/jqueryFileTree.php file.