Several security problems in the background of website management should not be neglected

Source: Internet
Author: User
Keywords Backstage whether website management neglect

Web site backstage, sometimes also known as http://www.aliyun.com/zixun/aggregation/8984.html "> website management background, refers to the management of the site's front desk a series of operations, such as: products, enterprise information, updates, delete and so on. Through the site management background, can effectively manage the site for visitors to access information. The background of the website usually needs the account number and the password and so on the login authentication, the landing information correctly verifies then enters the website backstage the management interface to carry on the related series of operations.

In fact, the real-time performance of the front and back systems is worse than expected. This is because the front and back systems assume that all tasks have the same priority, that is, equality, and that the execution of tasks is queued through the FIFO queue, so that those tasks that require high timeliness are not immediately addressed. In addition, because the foreground program is an infinite loop structure, once the task being processed in the loop body crashes, the other tasks in the entire task queue are not given an opportunity to be processed, causing the entire system to crash. Since such systems are simple in structure and require little additional overhead for ram/rom, they are widely used in simple embedded applications.

Now most of the site is static generation, generally speaking, as long as we do a good job in the background of the security site, is not a big problem. Therefore, the security of the background is easy to ignore, to do a good job in the background of the security site, we must do the following points

1. Is the background username and password saved in plaintext?

It is recommended that the nickname field be added to distinguish the user in the background, while the user name and password are MD5 encrypted, such as after the 15-bit string is intercepted.

2, whether the management members have the right to divide

Once the permissions are not divided, an edit user's account theft can also have disastrous consequences for you

3, whether has the management log function

The management log must not be deleted in the last few days, which is an important basis for analyzing intruders ' intrusion techniques.

4, backstage entrance is secret

Do not foolishly expose the entrance to the foreground page, or use a background entry address that is easily guessed.

5. Does the background page use the meta-robots protocol to limit search engine crawling

Google Toolbar, Baidu toolbar, or inadvertently appear in the background link may cause your background page was found by search engines, this time in the meta to write to prohibit the capture of the statement is a wise choice, but, do not write the background address to robots.txt, referring to the 4th.

6, the management of the page has been done to prevent injection

Careless programmers tend to consider only the injection of the front page.

7. Access has custom database backup capabilities

This is the most notorious feature of the asp+access system, and custom database backups allow intruders to easily get Webshell

8. Is there a custom SQL statement execution function

With the 7th.

9, whether to open the online modify template function

If it is not necessary, it is recommended that you do not open it to prevent easy insertion of cross-site scripting.

10. Directly display the data submitted by the user

Any time, the user's input is not credible, imagine if the other side entered a malicious JS, and you do not have any protection in the background under the circumstances to open?

11, the editor's vulnerabilities are cleared, whether the meaningless function has been removed.

The most famous example is Ewebeditor database vulnerabilities, default username password vulnerabilities, etc.

For the security of the site backstage, any part of the negligence can lead to disastrous consequences, site security, heavy responsibilities, we must always pay attention to.

Articles from http://www.920574.cn reprint please keep

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.