The Joomla! Forum ™

Hello Dear Friends,

I provide technical support for various hosting companies.  Most of them utilize an application called "Fantastico" which automatically installs Joomla.  Fantastico also offers automatic upgrades when there are new upgrades to Joomla.  However, the problem seems to be that even though we send notices to clients about the available upgrade for their Joomla, they seem not to upgrade.  This results in their site being hacked (they get mad), as well, usually its hacked by a Nigerian spammer that sends loads of spam emails out trying to find a suitable foreign partner to withdraw millions of dollars under some false pretense. 

Now down to my question.  Other than suspending the users accounts until they upgrade, is there anything that I can include in my mod_security that might be able to catch the various hacks in Joomla? Keeping in mind that this is a stopgap measure until the user upgrades their Joomla version?

Thank you for allowing me to post my question in this forum, it has been very helpful to me in th past, and this is my very first post here.

_________________
Sebastian Rametta
http://sebastian-rametta/
"Be nice to nerds, chances are you'll end up working for one."

This is not going to answer your question, but there sometimes are reasons a person would be slow to upgrade, especially using Fantastico.

One would be if the person has made programming mods to php files in a standard Joomla install.
another would be if the person installed 3rd party products
and yet another would be not being able to test compatibility with current installed 3rd party components etc. Such was/is the case of moving from Joomla 1.0.12 to 1.0.13 with Virtuemart installed. The change in the user password hash broke the Virtuemart store until a patch was applied.

Lets face it, many people know little about Joomla, upgrading, running a local server for testing, the web in general, etc. If someone set up a website using Joomla, installed some 3rd party components, and you sent a message to upgrade to the latest version using Fantastico, they did as instructed and from their point of view the upgrade broke something on their website, who would they be mad at?

I would try to encourage web hosts to set register globals off, safe mode off, etc. and provide a FAQ about how to make the proper adjustments to a Joomla install in lay terms to increase security. How to set up a local test server etc. to help them learn.

_________________
Phil D
Unrequested private messages and/or emails may not get a response.
Please give me a simple question, so that I don't have to think, because if I think, I might find answers that don't fit the question.
http://forum.joomla.org/ Security Moderator

one of the major issues with fantastico is that is installs joomla defaul - with 777 perms on its folders.

There USED to be a cpanel thing that would force upgrade all installations of whatever to the latest version.

On my two main hosting sites, i email out notice of the latest version of something and then if i get no reponse suspend them. that usually makes them listen.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Wow, that quote right there is very powerfull, and it really hit home with me.  You are 100% correct.  People are installing Joomla with a click of a button, they don't need to know anything about joomla, permissions, paths or programming, all they need to do is click a button.   Then, they go in mod their themes, upload their content and their site is set.  I can see how daunting and scary a task it could be to click an upgrade button, in their eyes they could be thinking:  "what if I hit upgrade and my site breaks..  I don't know a thing about this except clicking this button, I will be at the mercy of my host to fix it!".

Thanks for putting this into perspective Phil.

_________________
Sebastian Rametta
http://sebastian-rametta/
"Be nice to nerds, chances are you'll end up working for one."