Paragon Initiative Enterprises Blog

The latest information from the team that develops cryptographically secure PHP software.

The PHP Security Platinum Standard: Raising the Bar with CMS Airship

We're excited to announce that the first official release of CMS Airship is now available to download and install.

For anyone who hasn't been following along with our development work over the past few months, CMS Airship is a secure PHP CMS developed by Paragon Initiative Enterprises.

CMS Airship utilizes strong side-channel resistant cryptography, solves the problem of secure code delivery, and provides a list of security benefits other PHP projects can't match.

PHP CMS Out-of-the-Box Security Comparison Chart
Security Feature CMS Airship WordPress Drupal Joomla! Notes
Note: A detailed technical breakdown of the security of the other CMS platforms is available.
Automatic Updates The automatic updates you receive are secure against forgery even if our update server is compromised.
Prepared Statements For preventing SQL Injection vulnerabilities.
CSRF Protection Everywhere Plugins notwithstanding.
Context-Aware Output Escaping
Escapes on input
For preventing cross-site scripting vulnerabilities.
Content Security Policy CMS Airship lets you manage CSP and HPKP headers through a web interface.
HTTP Public-Key-Pinning
Password Hashing
Argon2i

Salted MD5

SHA512Crypt

bcrypt
Read more about how to safely store users' passwords and why Argon2 is the best choice.
Two-Factor Authentication
Secure "Remember Me" Checkboxes We outlined how to implement secure "remember me" checkboxes in PHP last year.
Login Brute-Force Resistance
Account Recovery: Opt Out
Account Recovery: GnuPG Encryption CMS Airship allows users to provide a public key, which will be used to encrypt the outgoing account recovery emails.
Encryption
Halite
N/A N/A
Defuse v1*
* As of v3.5.0; before, JCrypt was insecure.
Minimum PHP Version
7.0

5.2.4

5.5.9

5.3.10
Read more about why low minimum PHP version requirements are bad for security.
Code Footprint
56,078

490,115

978,569

851,019
Less code usually implies less room for bugs to slip in. This metric is useful for estimating the cost of a full audit.
Free / Open Source
Github

Trac

Git

Github
All four are released under GPL
Security Feature CMS Airship WordPress Drupal Joomla! Notes

CMS Airship is free software available under the GNU Public License. We also sell commercial licenses for companies that desire to use CMS Airship to develop non-GPL software.

What Airship Gives You, Out of the Box

Like most other platforms, CMS Airship is fully customizable with its own plugin system. If you don't like the way it looks, or how a certain feature is implemented, you can create and share a third-party extension that alters its appearance or behavior.

With that in mind, what follows is a list of benefits and features CMS Airship gives you without any third-party extensions.

A Robust, Self-Healing System

Should a security vulnerability ever be found in CMS Airship, the patch will be installed on your system within an hour of its release by our team. With Airship, you'll never have to feel the dread of these words that followed a Drupal SQL injection vulnerability:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

In addition to having rapid self-updating as a first-class feature, we've built the first PHP content management system that solves the triangle of secure code delivery. This triple-decker of extra security applies not only to core updates: community-developed extensions are signed by their developers' signing keys, synchronized through the entire network, and verified independently of our infrastructure. Even if our network is compromised, software authenticity is guaranteed!

Can any other CMS/blogging platform offer the same security guarantees, even outside of PHP?

The OWASP Top 10 is Mitigated

It should come as no surprise that we've pored over every line of code multiple times to ensure our code is free of any possible vulnerabilities, especially the OWASP Top 10 most common web application vulnerabilities. We maintain a list of entire bug classes you'll almost certainly never have to worry about with CMS Airship in the official online documentation.

The only entry on the OWASP Top 10 list that you may still have to watch out for is security misconfiguration, but only if you change any of the settings. CMS Airship is secure by default.

Sentinel - Our Suite of Authentication and Authorization Controls

Sentinel is a combination of best-in-class security features that provide you and your users the best protection possible for free. Sentinel is a culmination of three years of cutting edge PHP security and applied cryptography research, along with a plethora of security advisories for other free and open source software projects.

  • When you create an account on any Airship, your password is safely stored using Argon2i (provided by libsodium), and the hash is then encrypted with authenticated encryption.
  • CMS Airship rejects weak passwords (defined as: any password that scores a Zxcvbn score less than 3). This means the most common passwords people use (and hackers are likely to guess) will not be accepted; nor will the obvious modifications of said common passwords.
  • When you check "Remember Me", a side-channel-resistant persistent authentication token is placed in a cookie on your computer, in accordance with the best practices we helped establish last year.
  • Two-factor authentication is included out of the box. Just scan a QR code into your 2FA app on your smartphone (e.g. Google Authenticator) and check a box.
  • Progressive rate-limiting. Every subsequent bad username/password guess forces anyone attempting to login with that username or from the same IP subnet wait an increasing amount of time, up to a configurable maximum delay (default: 30 seconds). This delay can be enforced in a two modes: Fast-fail ("You are doing this too fast. Please try later" and prompt exit) or a sleep.
  • Account recovery:
    • If you provide an OpenPGP public key (e.g. via GnuPG), your password recovery email will be encrypted with your public key. This benefit comes with zero additional configuration for GNU/Linux servers.
    • You can opt out of password reset emails entirely. This might be desirable if you use strong passwords and two-factor authentication but do not trust in the security of your email provider (or of SMTP itself, which provides opportunistic encryption).
    • Regardless of encryption, password reset emails send a link with a token (which follows a similar construction to "remember me" cookies to prevent timing leaks).
    • (Optional, enabled by default): When you use the account recovery feature (assuming it was enabled), all other sessions and long-term authentication cookies are immediately invalidated.
  • Flexible, powerful, and overall simple access controls:
    • You have contexts (which can overlap), based on the user's URI . Each context is a white list.
    • You have actions (e.g. "read", "create", "update", "publish") on a per-site basis. (CMS Airship supports a multi-site architecture out of the box.)
    • You have rules, which grant either a user or a group of users the ability to perform an action in a given context.
    • Groups can inherit permissions from other groups.
    • Users can belong in multiple groups.
    • If any of the groups you belong to are permitted to perform said action in a given context, then you are permitted.
    • When contexts overlap, you have to have permission for all relevant contexts.
    • If no permissions are defined, unless you are an administrator, the access controls will fail closed (deny).
    • All of this can be managed by checking or unchecking boxes in a table (for each context).

Security Headers Made Easy

Want to add a Content-Security-Policy header to your Airship just in case an XSS vulnerability is ever discovered?

Want to add an HTTP Public-Key-Pinning header so your Airship is still secure even if a Certificate Authority is compromised (or goes rogue at behest of a nation state attacker)?

Don't reach for ssh and (insert text editor of choice here), just login as an administrator user and use the web interface.

Airship uses both CSP-Builder and HPKP-Builder to build the relevant security headers based on the configuration you provide. Like many of our projects, these open source libraries were developed as standalone utilities to improve the security of PHP projects throughout the community.

CMS Airship is a New Chapter in PHP Security

Despite its overwhelming popularity, the PHP programming language has historically had a bad reputation in the information security industry. At Paragon Initiative Enterprises, we want to improve the security and usability of the tools and frameworks people already use.

With CMS Airship, we hope to establish the platinum standard for PHP security. The gold standard for PHP security just does everything that is required. The platinum standard does everything that it can.

The gold standard for PHP security in 2016 involves:

  • Using HTTPS everywhere
  • Using the password hashing API
  • Using a CSPRNG any time you need randomness for security
  • Strict use of prepared statements to prevent SQL injection
  • Adherence to context-sensitive output escaping (instead of escaping on input) to prevent cross-site scripting
  • Using a token or nonce to stop cross-site request forgery attacks
  • Not passing untrusted user data to deserialization functions

Paragon Initiative Enterprises takes securing PHP applications to the next level.

In computer security, Attacks only get better, they never get worse. Today's platinum standard should be tomorrow's gold standard. Working together, we hope to greatly improve the state of security in PHP applications for everyone's benefit.

Until tomorrow comes, the bar for secure PHP applications has been set. Our work has just begun. Let's make PHP security ubiquitous, on-by-default, and as simple as possible.

About the Author

P.I.E. Staff

Paragon Initiative Enterprises

Paragon Initiative Enterprises is a Florida-based company that provides software consulting, application development, code auditing, and security engineering services. We specialize in PHP Security and applied cryptography.


Need Technology Consultants?

Will tomorrow bring costly and embarrassing data breaches? Or will it bring growth, success, and peace of mind?

Our team of technology consultants have extensive knowledge and experience with application security and web/application development.

We specialize in cryptography and secure PHP development.

Let's Work Together Towards Success

Our Security Newsletters

Want the latest from Paragon Initiative Enterprises delivered straight to your inbox? We have two newsletters to choose from.

The first mails quarterly and often showcases our behind-the-scenes projects.

The other is unscheduled and gives you a direct feed into the findings of our open source security research initiatives.

Quarterly Newsletter   Security Announcements