Custom folders

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
12/15/2010 7:03:06 PM
pleasantlydone
Gravatar
Total Posts 5
View Posts

Custom folders

Hi, I am working on a project for some clients that would like to make it harder for hackers to discover it is a mojoportal site. One telling characteristic is that when you look at the html source code you see this Data\Site or Data\image or mojosite, and etc. They would like it to be more like php sites that allow you to change the default folders for instance create a class that holds environment variables such as DataFolder, SiteFolder  and instead of hard coding urls into the code which prevents URL rewriting of these (for instance like the IEInclude control)... add a urlrewrite format to a database or .config file that is accessed to hide hard coded values and map to the changed folder locations based on the environment value. My question is this... I know where some of the hard-coded values are but I want to make sure I am not missing anything and I don't want to spend ages on this so could you tell me where they are referenced for instance in SiteUtils methods (all relevant). Upgrading will not be as much of an hassle as I am also coding and partially automated upgrade process that works out a lot of the kinks that may occur.

 

 

Also I want to remove the e-commerce and add my own. I know there are three projects I need to unload or remove. is there anything else I should be aware of (any lingering remnants). 

12/16/2010 10:52:58 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Custom folders

there are about a zillion ways a person familiar with mojoPortal could determine if a site is using mojoPortal and I suspect that is also true of most popular cms systems, blog platforms, forums, image galleries, etc.

If that is important to you and/or your client to really be able to obscure what cms you are using and you know of another platform where it possible for you to really do that then you should probably use that platform for your project.

It is not a goal for this project to provide that level of obscurity and I don't think obscurity offers much in the way of security.

Best,

Joe

 

12/16/2010 10:58:31 AM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: Custom folders

Hi,

To drive Joe's point home, take a look a the source view of http://www.whitehouse.gov. It will take you all of two seconds to figure out that it is running Drupal. If the White House doesn't think obfuscating their CMS platform is important, I don't think it is something we should worry about too much. Just my two cents.

On the ecommerce deal, the Web Store is included with mojoPortal but it is separate from the core so you can easily remove it by removing the projects for it. You can also take a look at this page: http://www.mojoportal.com/producing-a-minimal-build-without-features.aspx for guidance on this type of thing.


Joe D.

 

12/16/2010 2:37:03 PM
pleasantlydone
Gravatar
Total Posts 5
View Posts

Re: Custom folders

I appreciate your 2 cents... I think, but it is a task that will still be done. I was just hoping for a little guidance to doing it not guidance to not doing it. www.whitehouse.gov is an informational site meant for the public in that way. I don't think pentagon secrets are listed on that database so in the scope of things that is irrelevant. Obscurity is a form of security, while it may not deter... it can slow things down a bit and it must be used with other security measures. For instance a feature of Url Rewriting is that it obscures the real names of a requested resource. As a security professional we worn against using that as an only measure because it does not provide a proper level of security but it good in conjunction with others. I have looked at other CMS's that provide this but they lack other things so I decided to take on the task here. I appreciate the tip on the Webstore... I just wanted to make sure my assumption was correct as there are values that are hard coded  I wanted to make sure to completely remove all remnants of the web store with no stragglers. We all have our opinions. I just wanted some that will help speed up my goal. I have already started and I know how to traverse code... I was just hoping for a answer to the question that was asked... a general location of these hard coded values such as SiteUtil methods, controls if they don't call SiteUtil methods. Thanks anyway. I know other ways such as the search algorithm used which also on our list of revamping (i.e. the forum for those clients that need one) I look at a few and weighed which one I would have to change the least to achieve our goals.Like adding support for object qualifiers and an interactive install wizard so customers need not know code and need not touch the web.config file at all to prevent accidental changes and etc...

P.S

There are also other reasons to change default folders as well as I've seen requested on this forum. Some people had to find other CMS's instead of changing their hosting  to get results. Hearing it can't be done for an open source project (per other forum post on this site) makes it sound not all that open.

Just my cents

Thanks I just thought the community would be more community like and want to offer a way to achieve a goal faster.

12/16/2010 3:10:13 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Custom folders

Hi,

I agree with you that obscurity is a form of security and if you can get obscurity easily in addition to actually securing the needed resources then that is great, but in this case it is really not practical. I could spot a mojoPortal site by the markup and css without any urls and I feel confident that is true of many other applications both closed and opens source. The web browser is meant to consume code of html, css and javascript so it is open and does not really hide things well by its nature and one works against the grain by trying to make it do that.

You can spend a lot of effort on trying to do that if it is a goal for you but it is not a goal for this project and even in open source projects someone is in charge of goals. If you want to say its not open if you don't get your way that is up to you. Now if you actually learned all the source code and proposed  a solution plan that makes sense that would be different maybe I would be so impressed with your solution that I would consider it but for now that is not my goal for the project.

Sorry but I cannot enumerate where all the places in the code are that might have hard coded paths or path fragments. You will do better with VS search tools.

Best,

Joe

12/16/2010 4:10:26 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Custom folders

As you work on these projects, I do think you should submit your code changes to Joe Audette for consideration. If they are focused, well done, and do not negatively impact existing mojoPortal sites (i.e. all changes are fully-backward compatible, and the upgrade process will not require users to make configuration changes in order to keep using their sites as-is), I'm pretty sure that Joe will give fair consideration to incorporating them into the mojoPortal core. I speak from experience on this, having just made some changes to allow fallback LDAP authentication that will benefit our site and others who want to work the way we do. Having your changes incorporated into the core will also benefit you tremendously, since you won't be left maintaining a dead-end code fork. Since you are so security-conscious, I'm sure you can appreciate how important it is to be able to upgrade as soon as possible when security issues are discovered.

Changes to obscure the CMS type are not very compelling to me, since part of how we give back to mojoPortal is by leaving the "powered by" link on our sites. But I would definitely be interested in seeing what you can come up with for an installation wizard (and hopefully a companion upgrade wizard, since mojoPortal upgrades happen quite often). It would be very nice to have an easier way to manage all of the user.config/web.config keys. And I would find improvements to the search quite welcome as well.

About the community comment, I'll try not to take offense, but you should know that mojoPortal is a bit different than a lot of other open source projects--Joe has literally dedicated his life to this project, now that it is his sole source of income (from add on products, etc.).

Jamie

12/16/2010 4:23:09 PM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: Custom folders

Hi,

No, the White House website more than likely doesn't use a DB that also stores Pentagon secrets. But, what if someone wanted to hack the White House website and put their own propaganda on the site? Knowing the CMS might shave off two seconds of hacking effort. The point is that if a website as high profile as the White House website doesn't care to obfuscate their chosen CMS, I am not going to worry about obfuscating mine.

I am sorry that I came across in a way that offended you in my earlier message, I was merely trying to make the point that obfuscation of one's CMS platform isn't really much of a security mechanism, like most other security through obscurity measures.

I do not feel the settings that must be made to install mojoPortal are all that hard to understand or figure out. But, an installation wizard could prove beneficial if it kept best security practices in place such as not requiring the entire site to be writable by the web-process user to make changes to the web.config. In order for the wizard to then make those settings, that are currently in the web.config, they would need to be moved to a different type of configuration system that didn't use the web.config at all. That's something to think about for sure but I know it will not be a trivial task to accomplish.

On a lighter note, maybe the White House example isn't all that great considering the leaking of government secrets to media recently... no

Thanks,
Joe D.

 

12/17/2010 6:46:21 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Custom folders

Before anyone starts working on obscuring the file system paths or a setup wizard they should know that while I said "maybe I would be so impressed with your solution that I would consider it", the reality is that it is highly unlikely that a solution will be proposed that I would accept, I was only saying it is not outside the range of possibility but it is certainly outside the range of "likely". I was trying to be nice.

The most likely outcome is I will not accept it, so consider the possibility that if you fork the code to meet this need you are on your own and maintaining your fork and that will likely be worse in the long run in terms of security if you are not able to get my updates easily.

The reasons why I say it is unlikely is because

  1. I was not exagerating when I said there are a zillion ways to determine what cms you are using. I really could spot mojoPortal based on css classes in the markup alone (and many many other ways) so it is fruitless to think you could hide mojoportal by changing some paths.
  2. any solution to a complex problem is likely to be a complex solution and complexity is the enemy of security so it seems extremely unlikely that I would accept a lot of complexity to help create obscurity
  3. I am fairly confident that if I wanted to I could very easily write a program to guess the cms used at any url by making analysis of the markup and running tests to guess the cms, the presence of markup signatures, the existence of files at certain paths and many other things could be used to create a probability score of which if any well known cms a site is using. One could try and try to obscure it but I bet I could continue to detect it by a variety of methods.

Also it is difficult to take seriously this approach that claims we need this obscurity to improve security from someone who calls himself a "Security Professional" and then in the next sentence suggests a Setup Wizard so that web code can write to the Web.config file which is a very bad idea form a security point of view and I have discussed it here already:

http://www.mojoportal.com/why-custom-features-should-be-installed-by-ftp.aspx

I can say for sure we will not be doing anything to make the web code modify the web.config file in mojoPortal.

Anyway since others chimed in with encouragement of this I thought I should clarify my position so there is no confusion.

Best,

Joe

12/17/2010 7:11:28 PM
pleasantlydone
Gravatar
Total Posts 5
View Posts

Re: Custom folders

"Also it is difficult to take seriously this approach that claims we need this obscurity to improve security from someone who calls himself a "Security Professional" and then in the next sentence suggests a Setup Wizard so that web code can write to the Web.config file which is a very bad idea form a security point of view and I have discussed it here already:"

I think your response is this way because you are assuming the implementation. Your problem not mine. You are also assuming that I am trying to change the CMS that "you" use by the fact that "you" keep saying "we" don't think "we" need this. And if you were my client... I would leave it at that. You are also assuming that you have to be the one that corrects the security holes that may be found at a later date. I realize the results of creating a fork as well as other ways of discovering that mojoportal is the CMS used. But the scope of my question was just that... in a scope. I am here to serve my client's needs. I would be interested in submitting code to you but by the looks of the massive amounts of code that has your name on it... you don't allow other participants often. If I am wrong about that assumption... I apologize. I appreciate the input but I will take it from here. Many business's use open source because of the ability to adopt it to "their" business needs,,, so its not surprising that there are many forks in the road that you may not be aware of and are maintained by in house personnel. Sorry I bothered to inquire. Take care. Thanks for your contributions.

12/17/2010 9:46:28 PM
pleasantlydone
Gravatar
Total Posts 5
View Posts

Re: Custom folders

And by the way so you will know where I am coming from and why I say you are off the beaten path when it comes to answering this question. I have already coded a custom CSS change that does not break older installations but it allows clients to implement there own css classes as "they" see fit for whatever reason they decide they want to do this. Its their world. It allows them to use old skins and their new custom skins. I know how to code and prevent breaking changes, I just wanted the speed up the process with community input. But Sorry for asking too much. Thanks and I'll take it from here.  And thanks Joe D. for the lighter note. It definitely lightened the mood until the reply after you. And I know you feel the settings aren't hard to understand, neither do I but that's probably because you and I are from this background. Looking at other perspectives like from business users who don't come from a development background - They won't even consider this CMS because it gives them too much anxiety. For Instance I had a client who wanted to be able to do things himself so he would not have to call me as much. Since DNN has an easy Installation Wizard among other things (but this stood out for him - It was his business need). I gave him a comparison between the two. He needed it quick and he did not want to become familiar with the back-end. He could care less about the implementation but the wizard swayed him. Changing the files to him was akin to having a computer that only boots to a command prompt - Not great for the visual learner.

12/18/2010 7:09:00 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Custom folders

Installation is an infrequent activity and I don't think one should make the Web.config file writable in order to make an infrequent activity more convenient at the expense of security which is a daily concern. If your customer is happy/happier with a web app that requires all files to be writable that is not my concern but your and his.

If you find my work useful great, if not great. I gave a candid response with my real thoughts on the matter. Sorry you find my answers so unreasonable, but it is not my goal to please everyone.

Good luck in your endeavors.

Joe

You must sign in to post in the forums. This thread is closed to new posts.