How about Orchard CMS system security compliance? is it robust enough to deal with sensitive information?

Topics: General
Jul 28, 2013 at 12:24 AM
How about Orchard CMS system security compliance? is it robust enough to deal with sensitive information?

Thanks!
Coordinator
Jul 28, 2013 at 12:25 AM
Compliance with what?
Jul 28, 2013 at 9:02 AM
With any industary security standard.
Coordinator
Jul 29, 2013 at 8:09 AM
You'd have to be more specific than that. Also, are you ready to take the system through the specific standard that you have in mind in order to verify the compliance that you're asking for yourself?
Developer
Jul 29, 2013 at 9:18 AM
Do you have a URL to the Specification/Security Standard you are talking about?
Aug 2, 2013 at 1:16 PM
You'll have to split your question up, a secure system deals with:
  • Orchard
  • Server environment
  • Custom modules
  • Users
Orchard has no known issues, but you'll have to look into password complexity rules
The server hardening is up to you,remove unused windows services, IIS modules,firewall settings, DB encryption, etc
Custom code and 3rd party modules are also your responsibility, for example the Contrib.Profile has some huge security leaks by default
And a secure system can become insecure by your users.
Aug 3, 2013 at 4:39 PM
for example the Contrib.Profile has some huge security leaks by default
I didn't find any hint about security issues on https://orchardprofile.codeplex.com - Do you have any information about the security leaks in Contrib.Profile?

Would it make sense the collect information about known security issues in add ons in a common location?
Aug 4, 2013 at 6:40 PM
The hints are in the forks, like this piece of tekst:
Provides several fixes for the profile module. - Security fix with permissions not being handled correctly - Fix for a security hole where users can edit their own roles - Various fixes

Maybe sebastien can go and fix these, he is admin on this project