PICnet Blog

So I know a lot of you think that Joomla! is incredible because it does everything, but as the saying goes “Computers are only as smart as the users using them”. Joomla does a lot of great things out of the box, but bad administrating can make any Joomla install unsafe.

Brad found this forum posting about the “sad, but true” things that some administrators do. For those of you who do these, I hope this opens your eyes and you learn from them, but for most of you, I know you’re doing the right thing.

The Joomla core developers use a combination of manual auditing and automated auditing. They use Acunetix Web Vulnerability Scanner for the automated auditing which has been donated to the Joomla Project. Acunetix WVS scans the site for SQL injection, cross-site scripting and other vulnerabilities, thereby averting possible hacker attacks.

This tool has been run against the 1.0.x trunk (in preparation for 1.0.12) 3 times in the last two months which gives the Joomla Team valuable reports that allows them to hardens the code. This is a great tool to be using, because we all know about human error.

RobS over at Joomla just posted about the Joomla winning an award for security:

“During what is called the “Deface Realtime Compo” Competition up to 150 Security Specialists, hackers, and crackers bomarded the CMS with attacks for 2 days straight without success. Both Joomla! and PHP-Nuke were evaluated during the competition and both systems received positive evaluations. Along with the positive evaluation, we received a certification from the WebSecure Group, declaring that Joomla! was reliable and recommended for use.”

Read it here.

Google has done it again. The great people at google have tried to make our lives easier with their new invention of Google Code Search. Now I can find bits of code that I otherwise wouldn’t have found. How does it do this? Well google now can traverse into compressed files like .zips and .tar.gz. What does this mean for you? You know how your a good webmaster and make make backups of your websites as websitebackup.tar.gz? Your configuration.php file is one of the files that you just backed up. Guess what. Now everyone on google code search can see your user name and password for your mysql database. How do I fight this? you might as. Simply put your backups below your website directory so it isn’t accessable via the web. Read more about it from the Joomla Developers here and from a Slashdot article here.

Early this morning, the Joomla team released an important security and bug fix upgrade. The new version 1.0.11 fixes the following issues:

1.0.11 contains the following fixes:

• 04 High Level Security Fixes
• 04 Medium Level Security Fixes
• 18 Low Level security Fixes
• 25 General bug fixes

Your friends at PICnet highly recommend you upgrade your Joomla sites immediately. The discussion thread that’s ensued since the launch has been vibrant, with lots of good vibes sent to stingrey who put a ton of work in packaging this release and making it happen.

Woe is the PHP hosting provider that thinks leaving register_globals on is a good thing. At lunch today, the PICnet gang was chatting about security vulnerabilities that were occuring in many Joomla 3rd party components. The problem is that our wonderful Joomla core was taking flack for not being secure, but at the end of the day all the hacks seemed to be occuring because of poor programming and server hosts leaving on the dreaded “register_globals” on their servers.

I mean, this is PHP hosting 101, right?

Unfortunately, one of our great clients had a server that had register_globals turned on, and the hacker took full advantage. Moral of the story, please, please, check to make sure that register_globals is turned off. If your hosting provider has it turned on, turn and run the other way.

Now, to take this to the next step, Johannes Ullrich over at the Internet Storm Center wrote his Tip of the Day on PHP security today. Read more for some excerpts of how you can protect your code.

(more…)