[Hippo-cms7-user] Prevent javascript and JCR SQL injection in Hippo CMS.

Arje Cahn a.cahn at onehippo.com
Mon Jun 6 15:00:10 CEST 2011


I'd like to add that several Hippo customers have had security audits run by external parties to test the "hacker-proofness" of Hippo CMS. Generally, these tests run through the entire OWASP list (https://www.owasp.org) to find holes in the system. I hope you understand that I can't share these reports with you (they are confidential in nature), but I can tell you that it's certainly possible to setup your Hippo installation in a secure way. We helped these customers setting up their systems in the right way, and we made sure all security issues were taken care of. Be aware that you always have to take security into account when setting up your architecture, whether it's Hippo or any other system. But I guess you are more than aware, and that that's the reason why you're sending this email :)

Of course, this doesn't give you any guarantees, but I hope it gives you an idea of how serious we take security, and that Hippo is regularly tested against security holes.

On Jun 4, 2011, at 8:39 AM, M Nair wrote:

> This is related to https://issues.onehippo.com/browse/CMS7-2994 comments. Bart, 
> can you explain in detail your comments on how JCR SQL is 1) only read onlt 2) 
> how is it less worse than RDBMS SQL injection ?


Arjé Cahn

CTO, Hippo
a.cahn at onehippo.com / arje at apache.org

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466

More information about the Hippo-cms7-user mailing list