How secure is ImpressPages ?

[santo74]

How secure is ImpressPages and more interestingly: what precautions are being taken to make IP as secure as possible ?
Are there any security audits performed ?
Is there a release strategy in place regarding security related fixes ?

I understand security is a complex matter but some indications would be very interesting.

According to this site there was only 1 vulnerability detected in the past, which is obviously a very good score, but if there aren't any audits or other security related tests, then that score probably doesn't tell us that much.
Also, there might be other vulnerabilities that were not included in this database.
E.g. I found this link as well, which refers to an exploit that was never included in the cvedetails database.

[jankus]

Before major releases we go through bug bounty program. Which means we pay our money for everyone who founds a security issue. When everything is fixed, only then release is published.

We always ask community and other developers to check from their perspective for possible security issue. If something is found we immediately release a fix. If website owners allow us to contact them, we send security notification through email.

Is that good enough? Do you have any other suggestions?

[santo74]

Seems a fair approach to me, but I'm not a security expert by any means so I can't judge whether that is sufficient or not ;-)

However I do have some other suggestions that might improve the security of the product as well:

• Review themes and plugins for security issues before publishing them. Maybe this is already done as part of the acceptance procedure, but I couldn't find any real evidence of it in the market quality guidelines or any other docs related to it.
• Better separation of code (logic) and presentation (view), preferably by using a template engine such as twig.
  The advantage is that it is much easier to override the output (of widgets/plugins/core/whatever) and at the same time allows to easily update the code itself without affecting those overrides.
  As a consequence it's much easier and safer to update a plugin or other part of the code when a security issue was detected.
• make it possible to update plugins and themes from within the admin panel as well, just like the IP core.
  This will make it a lot easier to update them and therefore users will be less hesitant to update them, resulting in more up-to-date and thus safer IP installations.
• Add an option in the admin panel that allows to send email notifications to the admin or even better a configurable list of recipients whenever any type of update is available.

Therefore I also prefer many small incremental code updates that are easy to install rather than few large updates once in a year (or even less) that might be much more difficult to install, but as far as I can see this is already the case with IP 👍

[maskas]

Contributions are being reviewed. But we take no responsibility if there are bugs.

New version of plugin / theme can be installed by going to the market and pressing Install.

[santo74]

Of course I understand you aren't taking any responsibility if there are bugs in contributions, seems obvious to me, but I was referring specifically to possible security issues in contributions in which case you might simply reject the contributed plugin/theme until the issue is fixed.

Regarding the plugins / themes, I understand they can be installed from the market place, but I would love to see the possibility to update them with a click of a button whenever that is required (e.g. important security update or bug fix).
And as far as I understand that's currently not possible: https://www.impresspages.org/plugin-update and https://www.impresspages.org/theme-update both clearly state that you have to re-install them completely in order to perform an update.

[maskas]

Good point. I've just updated that page. https://www.impresspages.org/plugin-update

[santo74]

Thanks, I wasn't aware it was already possible.

[jult]

Better not install or use this, as it is no longer being maintained against any of the recent security exploits.
Assume this project or its dev team is dead, when the last edit here on its code is 2 years ago.
And it depends on Apache, while we're all using NGINX now.
And it has trouble with php 7.*

[eazuka]

@jult you are responding to a question that was asked more than 4 years ago now?
first to clear your misrepresentation, Impresspages works perfectly well with php 7.x and i've been running impressapges on NGINX for many years with no issues. I'm not sure where you getting your facts from

With regards to Impresspages, can you share with the community the recent security exploits you are referring to?