Open Source Document Management System | OpenKM

Hi.

Is OpenKM protected against SQL Injection? Even in the queries that are in the XML?

XPath queries can't modify anything. And respect SQL queries, well we try to make OpenKM as secure as possible bu if you detect any security risk please, notify us!

I was talking about this one: I mean, when I'm logging in if I inject SQL the attack will be successful?

This is related to JBoss JAAS configuration. If you have problems with this you should try a JBoss forum.

have you tried to make some injection there ? as said paco is a jboss module not OpenKM, probably they open internally the connection as only read, but you must make question in jboss forum.

It'll be very strange you'll discover this bug in Jboss version 4.x and nobody detects in older versions, but all it's possible. Really if you've discovered a secutiry bug jboss team will be pleased you inform about it.

I haven't discovered nothing...
I'm using OKM on my school's final project and my teacher is always asking "are you sure this is safe?" "are you sure there are no major bugs ou safety fauls?" yada yada yada ...

So I just made the question because he didn't like to see the query there because according to him, it is awfully unsecure...

I'll be more clear. Only the administrator can accessing to login-config.xml ... in which scenario you're thinking administrator wants to hack himself ? I think has no sence ... this machine has access to some database, administrator has grants to connect from this computer, they don't need jboss-login.xml changes it has grants directly to database.

SQL injection is something diferent, the normal scenario is web ( or other kind of applications, but the idea is the same ), some web form collects data (field_X) that's used in second form as a part of query as:
but if programers does queries right like as a
then the injection is not possible

OpenKM is more secure than you're thinking and all operations made in repository are logged ( we complish fully with spanish data law proteccion ) any operation since a user is logged and has logged out are totally registered. But if you want a high security level, first must configure connections as HTTPS to prevent sniffers in the network ...

90% of security problems comes from a bad password policy, if you test a brute force in your school probably you'll be surprised with results ( depending if have or not some password restrictions ... it's good idea made some mandatory patterns to passwords ). Really for version 5.0 we'll implement some external configurable password pattern validators in concordance with some ISO.

There's no system totally secure, but some minor good practices made it less accessible. I'm 14 years working in computer environment, I've been in both sides, hack a system is not easy as sometimes seeing in cinema, but have a bad practices is really easy, tipical postik in screen with user and pass, etc... sometime I listen a phrase of one of the majors ... "the only secure computer in buried on desert without energy".

I'm feeling young again

LOool! I liked this sentence: "the only secure computer in buried on desert without energy" !!

I've been looking to the source code, and yes, i'm surprised.
I'm no long range programmer, I've been studying programming techniques since my 10th grade , so it will be 6 years. But you know, my teacher is kinda stubborn!
Well, if it is needed, i'll show him this post

Thank you all

And keep up the awesome work!