Facebook engineering is at it again! Yesterday, Pysa was released, a static analyzer that detects common security issues based on dataflow in Python code. https://engineering.fb.com/security/pysa/
Recently, I was looking for something simple for the more “corporate”-y side of web things. I tried some PHP based CMS. For looks and simplicity I decided to focus on one of the lesser known ones (i.e. not the workhorse that Drupal is).
At first, I tried to setup SSL traffic between a managed MySQL instance and the CMS instance – no easy way to include a certificate, even after digging a bit into the config file. “OK”, I mumbled, “I guess I can live with this and keep my traffic local”.
What killed the deal for me was that, after setting up the DB connection, the CMS decided, and rightly so, to do a self-test. I haven’t touched anything in the filesystem up to this moment, so I was expecting a warning but then I got him by this: “Ensure all the listed files exist and are writable by the server. This normally involves CHMODing them 777”.
I was left speechless. We are in 2020 and software still suggests chmod 777 as part of the installation process. No wonder I promptly deleted the installation, if that is the basic security stance, who knows what evils lurk within?
Sorry my dear PHP CMS of some popularity, I prefer to keep you at arms length from now on.