diff options
author | Yorhel <git@yorhel.nl> | 2016-11-27 10:15:19 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2016-11-27 10:15:19 +0100 |
commit | 6a04b3278bb6e2bedbe169870314eff7d5de33da (patch) | |
tree | ef0b66773270f15e87ac5ee46c844af1c2f1459e /lib/Multi/API.pm | |
parent | a9df5c8d7e22874d37938b27913f239ce31f9414 (diff) |
SQL: Use separate role for the website + disallow access to user data
Previously the website was connected to the database with a "database
owner" user, which has far too many permissions. Now there's a special
vndb_site user with only the necessary permissions. The primary
reason to do this is to decrease the impact if the site process is
compromised. E.g. it's now no longer possible to delete or modify old
entry revisions. An attacker can still do a lot of damage, however.
Additionally (and this was the main reason to implement this change in
the first place), the user sessions, passwords and email data is now not
easily accessible anymore. Hopefully, the new user management
abstractions will prevent email and password dumps in case of an SQL
injection or RCE vulnerability in the site code. Of course, this only
works if my implementation is fully correct and there's no privilige
escalation vulnerability somewhere.
Furthermore, changing your password now invalidates any existing
sessions, and the password reset function is disabled for 'usermods'
(because usermods can list email addresses from the database, and the
password reset function could still allow an attacker to gain access to
anyone's account).
I also changed the format of the password reset tokens, as they totally
don't need to be salted.
Diffstat (limited to 'lib/Multi/API.pm')
0 files changed, 0 insertions, 0 deletions