There has been a lot about the Shellshock vunlnerability in the media, that has it’s roots in the bash command line tool on Linux and Unix environments. for hackers, coders and system administrators there are issues that should be checked out.
However whenever I see security horror shows like we have seen recently, I am reminded that many of these are dangerous for the unsophisticated, lazy and stupid. Unsophisticated users may create websites with many security issues and not know what to avoid. The lazy are those professionals who don’t take proper steps when settting up systems and machines, the stupid, I reserve for the arrogant who fail to secure systems.
In looking at this issue, there is much hyperbola, such as in this article and this self serving one. Symantec want’s to sell software. This is not going to lay waste to the internet.
A few facts. For most Mac users, shell scripting using bash is not enabled and Apple added security on top of its unix. Small home routers generally use smaller scale implementations of linux, using busybox, largely for performance reasons. Windows computers are not a problem, at least for this issue. Most large systems are likely sitting behind firewalls and many linux and unix systems can’t be accessed from the outside. The vulnerability is predominantly related to systems that lie outside of firewalls and webserver software. Even commodity webhosting platforms like cpanel/whm have auto update running and update software without human intervention.
Here is a list of security tips that can help.
- Disable cgi on apache or remove ExecCGI from vhosts.
- If you run php on Apache. engable suphp to tighten security.
- disable shell access for accounts that webservers run under, particularly apache.
- Use a more modern apache, or nginx and run what ever you can under fast-cgi, which is more secure.
- Enable security plugins like mod_security on apache, and the suhosin module, howeber suhosin can be overkill for some users, remove it with care.
- Remove cgi scripts or if they are absolutely necessary secure them.
- Do not run applications like bugzilla on mod_cgi unless they are not accessible beyond the firewall.
- Remove bash as the default shell on system accounts.
- Update bash.
- disable and remove vulnerable software outside of the firewall.
Over the last months I have been working on a personal project of a cause that I care about. Helping more dogs and cats and other pets to get adopted and not fall through the cracks and be destroyed due to overcrowding in local shelters. Petfinder is an organization that a lot of smaller shelters work with and provides an xml api to their data that other developers can use. I have three sites which are based on the same source code and same data, one nyc-adopt-a-pet.com which has all the information, nyc-adopt-a-cat.com which has a filtered data set which is for shelters that have cats or specialize in cats and nyc-adopt-a-dog.com which has the same for dogs.
The sites are built using the CodeIgniter php application framework, which has worked resonably well. I use Zend Framework a lot at work, and I might have chosen Zend if I started today, but for a site of the scale I am working on CodeIgniter works well. CodeIgniter is efficient in design and coding, but has a bit of ugliness underneath the core. I built classes which can make requests to petfinder’s api. For the content that is more constant, I built utilities to pull using the xml api (using the classes) the shelters that I was interested in (I chose the tri-state area). Then the imports were converted using another script into insert and update statements.
For more dynamic content I use direct access to the petfinder api, for instance for a random pet feature they have. Initially the features I didn’t want to build I linked out to petfinder’s site. Later I have built out more. I have also integrated twitter, facebook, the openx adserver, and joomla to help with more content which would involve less building of code. Side bars content is built using jquery using an ajax implementation, allowing the sidebar content to be integrated dynamically, which can come from either random pet pictures, petfinder’s random pet feed or the adserver. To improve the design, I have integrated Webfonts into the site using adobe’s api.
I have wanted to build a state of the art mobile site for this as well. Unfortunately petfinder’s mobile presence is very inconsistent with petfinder’s web presence in terms of url structure and how it can be integrated, so I knew I would have to build all the features that I wanted to present. I have worked with jquery over the years and like a lot of things that this framework can do. I have seen people build mobile functionality with it, but until the jquery mobile came out it seemed much more work. I have been working using jquery mobile which works resonably well. It has some deficiencies, for instance css fixed positioning doesn’t work as well on android 2.3 and earlier, the transitions can be a little jumpy, but in general it works.