Joomla! Discussion Forums

Thanks for tis great news. Alawys had confidence that joomla was safe but its good to have it confirmed.

NOTE we have been seeing a huge increse in attepted hack on mambo sites hosted on our servers. No effect on te joola one though

Brian

Last night I read the news and wondered if Joomla is affected or not.
I'm relieved now.

Thanks.

Thanks for the news, stingrey.

I'd like to echo this as well, over the last couple weeks we've seen a huge surge in the number of hack attempts on Mambo sites.

Well.. there is an easy solution to that

Sadly as a host we cant determine which software people use

Brian

Hi all,

Would it be possible for important security info like this posting from stingrey be also posted as an article to the front page of the joomla website.  Especially in response to vunerability reports in the press.

Cheers,
bigmudcake.

I'd agree with that request as well, actually.

I don't really agree with the last comments. I know the relation between Mambo and Joomla, but why put up a notice on the frontpage that Joomla is not vulnerable on a Mambo hack? This is important to know, but basically non-information. This should be discussed over here, just like it is done now .

All I can say is go Joomla!. If the Joomla coders are creating better code with security in mind... Broadcast it. This doesn't mean that Joomla will never have a vulnerability issue, but this does state that the team cares about security and creates an atmosphere of caring.

I'm one to promote security. From the server administrative level down to the top level hosting component.

Tonie, This is one time I disagree with you. Good advertisement in business is bar none important. And security in any realm need be put on the forefront. I don't view this as "non-informational", but rather good PR.

It is good to agree to disagree . Joomla is a different product now and shouldn't gloat towards Mambo, there has been enough bad press about the split and this will only rekindle it IMHO.

I see your point. Just realize that as the code changes become more evident, that there will be more to look at and view. In terms of security however, it is an important issue that need looked at in both cases. Either we provide a product superior, or we provide a product inferior at any level. This isn't necessarily a mambo/joomla race, but we need understand that there are some that view it this way. In any case, security is of utmost importance and if Joomla! be superior in terms of security, well, that's alright by me.

Yes. We disagree agreeably which is the real key.

I understand the sentiment and reasoning behind this request (post on frontpage of Joomla about this).
It does make a fair amount of sense.



However, I am also cognizant of the problems that have occurred in the past.
We wish to move past these and focus on the future and Joomla!  All the Joomla! team are still very proud of the time we had developing Mambo - despite what happened.  Unfortunately, no matter how neutrally it may be worded, there will be those who would see such a posting as being some sort of sleight or veilled attack on the current Mambo Development Team.
It is time that we move past this and let Mambo continue on its own destiny and Joomla! as well.

The bottomline is the 2 security vulnerabilities do not affect Joomla! and we wish to only highlight Joomla! issues on our main site.



Anyway, 1.0.8 is very very close now and that will contain important security information and perfromance information regards the work on 1.0.8 and the Joomla! 1.0.x codebase.
In that release article, I will also include a small reference to the two recent vulnerabilities, simply to indicate they do not affect Joomla! and references to my Blogs on the issue.

I believe that the 1.0.8 release will move us the community focus past the current vulnerabilites in the press regards Mambo.

Hi Guys,

I have to agree with STINGREY! Plus, Joomla! has become such a good product, it does not need to put itself into a better light by pointing out the mistakes others have in their products.

I can understand that many would feel some satisfaction in the mishappenings of others and enjoy rubbing it in. But I think it is wrong, because "do not do to others what you don't want to be done to you". Aren't we all better than that? Feel satisfaction if you want to, grin about it, but don't rub it in.

That's just my thoughts to this ...

Well certainly this would be wrong and not the correct thing to do. But again, broadcasting that Joomla is not vulnerable to a
specific issue that another cms is having is not the discussion here. Surely people can understand how close knit the software's are
as of the few last revisions. We are still part of the mambo code and we have the right to mention that the Joomla software is not
vulnerable to what code we sprung forth from. This has nothing at all to do with "rubbing it in".

That's my opinion. No more posts in this thread for me. Just goes too far off track and not looked at as the "bigger picture" both past and present.

Hi all,

I certainly stirred a bit of discussion,  which is not a bad thing 

The point I would like to make is that security should be above any politics or past history.

I dont see any announcement as either blowing our own trumpet in regards to Joomla or painting Joomla in a bad light,  I see it more as a responsible act in keeping the userbase well informed.

Being informed about security issues that may/maynot be related to Joomla is critical to the uptake of using Joomla.  Users want to feel both secure in the version they have and also know that the Joomla team is on the ball when any security issues come to light in the general media.

For instance getting back to Mambo days,  when security issues related to XMLRPC in PHP surfaced nothing concrete or specific was published and I was left wondering if it affected my installations.

I believe we need to think above the Mambo/Joomla issues/politics as security is just too important.

Like it or not,  People like myself still relate any Mambo security issues as potentially affecting Joomla and vice versa,  as would any general PHP issues, or any 3rd party libraries you use.

I just think its important to announce any security issues in a place that most users can find easily (the home page of joomla), if nothing else it shows potential first time users that security is at least acknowledged as part of the software.

Also, bear in mind that most of the users using Joomla are non-technical people/companies who hired technical people who built their sites using Joomla.  So the only security issues they are going to hear about is via the wider press. So anything in the wider press that relates to Joomla, Mambo, CMS's in general, and PHP needs a response by the Joomla team as a press release that those users can see easily.

All (particularly Rey),

Back to what started this thread, I was relieved that the Mambo worm vulnerability wasn't a problem in Joomla.  I was amazed at how quickly and how thoroughly the forum responded to my post that kicked off this tempest a couple of days ago.

There's a lot more than good software going on here.

Thanks,
Ed