Re: opinions on CMSs (Drupal, Joomla, Mambo etc)

[Philip <subs%christiantena.net@localhost>]

There is only one person who updates the site, and he seems quite savvy.
I will have to talk to him and see how he feels about uploading native
html as you suggest.

I'm pretty sure that the original hack was a php hack.

Is there a way that maybe that the webmaster would be able to access the
CMS using an apache virtual server that only he can access, but which
then puts html content onto the file system that another virtual server
can see which is open to everyone?  That way the php (or whatever) could
be blocked to the Internet.

I wasn't aware that you could make a CMS create static html in that way.

thanks for the comments so far, Philip

Michael Smith wrote:
> On Mon, 25 Aug 2008 21:32:29 +0100
> Philip <subs%christiantena.net@localhost> wrote:
> 
>> Does anyone here have any strong opinions which CMS to go for, or to avoid?  
>> There are several
>> reviews around of CMSs but none of them say much about security.
> 
> For accounts where high security is required I update the html code offline 
> and upload it to the server with a distributed configuration management 
> system through SSH.
> 
> If you want a CMS for lots of non-skilled people to update the site then you 
> are just going to have to live with low security because they will be 
> vulnerable to social engineering attacks regardless of how good your 
> infrastructure is.