Elgg’s approach to the various security issues common to all web applications.
To report a potential vulnerability in Elgg, email firstname.lastname@example.org.
The only restriction that Elgg places on a password is that it must be at least 6 characters long by default, though this may be changed in
/elgg-config/settings.php. Additional criteria can be added by a plugin by registering for the
registeruser:validate:password plugin hook.
Passwords are never stored, only salted hashes produced with bcrypt. This is done via the standard
password_hash() function. On older systems, the
password-compat polyfill is used, but the algorithm is identical.
Elgg installations created before version 1.10 may have residual “legacy” password hashes created using salted MD5. These are migrated to bcrypt as users log in, and will be completely removed when a system is upgraded to Elgg 3.0. In the meantime we’re happy to assist site owners to manually remove these legacy hashes, though it would force those users to reset their passwords.
Elgg has a password throttling mechanism to make dictionary attacks from the outside very difficult. A user is only allowed 5 login attempts over a 5 minute period.
Elgg uses PHP’s session handling with custom handlers. Session data is stored in the database. The session cookie contains the session id that links the user to the browser. The user’s metadata is stored in the session including GUID, username, email address. The session’s lifetime is controlled through the server’s PHP configuration.
Elgg protects against session fixation by regenerating the session id when a user logs in.
This section is questionable.
Besides protecting against session fixation attacks, Elgg also has a further check to try to defeat session hijacking if the session identifier is compromised. Elgg stores a hash of the browser’s user agent and a site secret as a session fingerprint. The use of the site secret is rather superfluous but checking the user agent might prevent some session hijacking attempts.
This section is very hand-wavy
To replace Elgg’s default user authentication system, a plugin would have to replace the default action with its own through
register_action(). It would also have to register its own pam handler using
pam_authenticate() function used to call the different modules has a bug related to the importance variable.
You must enable SSL support on your server for any of these techniques to work.
To make the login form submit over https, turn on login-over-ssl from Elgg’s admin panel.
You can also serve your whole site over SSL by simply changing the site URL to include “https” instead of just “http.”
Filtering is performed through the function
filter_tags(). This function takes in a string and returns a filtered string. It triggers a
validate, input plugin hook.
By default Elgg comes with the htmLawed filtering code as a plugin. Developers can drop in any additional or replacement filtering code as a plugin.
filter_tags() function is called on any user input as long as the input is obtained through a call to
get_input(). If for some reason a developer did not want to perform the default filtering on some user input, the
get_input() function has a parameter for turning off filtering.
Elgg generates security tokens to prevent cross-site request forgery. These are embedded in all forms and state-modifying AJAX requests as long as the correct API is used. Read more in the Forms + Actions developer guide.
Elgg’s API sanitizes all input before issuing DB queries. Read more in the Database design doc.