Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is showing TCM ID on th the public website a security issue?

Is showing TCM ID on the SiteEdit instruction on the public website a security issue? My thoughts are it should not be an issue since Tridion is behind the firewall. I want to know the experts opinion.

like image 715
user1373140 Avatar asked Aug 08 '12 18:08

user1373140


3 Answers

I think you're asking the wrong question here. It is not important whether those SiteEdit instructions are a security risk, they should only be present on the publishing target(s) where you use SiteEdit. On any other target they just needlessly increase the size and expose implementation details that are not relevant to the visitors of that target.

So unless you enable SiteEdit on your public web site (highly unlikely), the SiteEdit instructions should not be in the HTML.

like image 200
Frank van Puffelen Avatar answered Oct 20 '22 13:10

Frank van Puffelen


It depends on the level of security you require. In principle, your security should be so good that you don't rely on "security by obscurity". You should have modelled every threat, and understood it, and designed impregnable defences.

In real life, this is a little harder to achieve, and the focus is more on what is usually described as "security in depth". In other words, you do your best to have impregnable defences, but if some straightforward disciplines will make it more difficult for your attacker, you make sure that you go to that effort as well. There is plenty of evidence that the first step in any attack is to try to enumerate what technology you are using. Then if there are any known exploits for that technology, the attacker will attempt to use them. In addition, if an exploit becomes known, attackers will search for potential victims by searching for signatures of the compromised technology.

Exposing TCM URIs in your public-facing output is as good as telling an attacker that you are using Tridion. So, for that matter, is exposing SiteEdit code. If you use Tridion, it is utterly unnecessary to do either of these things. You can simply display a web site that gives no clues about its implementation. (The ability to avoid giving these clues will be a hard requirement for many large organisations choosing a WCMS, and Tridion's strength in this regard may be one of the reasons why the organisation you work for chose to use it.)

So while there is nothing in a TCM URI which of itself causes a security problem, it unnecessarily gives information to potential attackers, so yes, it is a security issue. Financial institutions, government organisations, and large corporations in general, will expect you to do a clean implementation that gives no succour to the bad guys.

like image 37
Dominic Cronin Avatar answered Oct 20 '22 15:10

Dominic Cronin


I would argue that it does not really present an issue. If there are holes in the firewall that can be breached, an attacker may find a way to get through regardless. The fact that there is a Tridion CMS installation behind the firewall is somewhat irrelevant.

Whether you have the URIs in your source code or not, your implementation should be secured well enough that the knowledge gained by knowing that you have a Tridion CMS is of no value to a hacker.

like image 3
Chris Summers Avatar answered Oct 20 '22 14:10

Chris Summers