Joomla! Discussion Forums

Ah! Time for me to start learning 1.5!

I could be wrong though...I'm waiting for the RC myself before I play...

I'm not sure the FTP layer extends into the reading of files. It may only work on the writeing of files...
But it should be easy to add that to the reads as well...

JFTP was only built to write files to the filesystem, not read them.  It was done that way for speed, HTTP reads are much quicker than FTP reads.

I was wrong, I double checked and it can read... I thought I remember being told different... oh well

Thanks Rob, I wasn't sure if you were simply telling PHP to operate under the FTP account or was using another app to write that used it.
I suppose a chgrp of the www group and chmod of 640 would get the same result though do you think?

Actually, I was talking about the FTP library in Joomla! 1.5.  It is called JFTP.  And, actually, I was wrong.  I just checked and Joomla!'s FTP system is capable of reading via FTP as well.

Ok to clarify....Just cause I am very curious about this...

It can read via FTP the protocall or use the account to read via http?

I hope it's the latter it would really allow us to lock down the security in a major way...

Revision 1.3: Added the following item with a link to a new Security FAQ.

Revision 1.4: Updated the SSL section and added a link to a great forum discussion.

• 8.2: Use an SSL server for confidential transactions. Read this enlightening discussion on the need for SSL any time security is important. (Note that Joomla! version 1.0.11 does not allow you to assign an SSL server to individual sub-directories. Can someone tell me if 1.0.12 changes this?) [FAQ]
  

Revision 1.5: Added a few more links to Joomla! 1.5 info.

• 2.1. Decide if Joomla! is right for you. Developers of very large projects may want to read this discussion. NEW!
  
  
• 2.2: If you're a developer, prepare for the approaching release of Joomla! 1.5, the most significant upgrade in Joomla!'s history. NEW!
  
  • Monitor 1.5 development status.
  • Start playing with the beta version.
  • Learn about Model, View, Control (MVC).
  • Develop a conversion plan for extensions you've written.
  • Develop a conversion plan for your existing sites.

Minor addition...

• 9.14: Learn all you can about security software: Sadly, there's no one tool that you can install to protect your site. If there were, it would be so heavily targeted that it would probably become a liability. Related topic.  NEW!
  

As a newbie to the security checklist I have worked my way through all steps until 5.11 (Configure Apache mod_security and mod_rewrite filters to block PHP attacks) now. About this one I have no clue what to do. Does somebody know a forumthread/FAQ where its discussed? Any help and hints are very appreciated.

Thank you very much!
Tilman

Hi Rliskey,
I came here searching where to post 'Thanks' to you.

"Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * Joomla! RG_EMULATION setting is `ON` instead of `OFF` in file globals.php
      `ON` by default for compatibility reasons"


I got a security alert with your article
I am dumb in the web tech matters.
I am not into software, I am a medical health care professional.

Since the web designer was not available I was tinkering thru the insides myself.
I did not understand much of what you had to convey,
but I was eager 

[GLOBAL MOD EDIT: Signatures belong in the signature section of your "Profile" - ChiefGoFor]
[GLOBAL MOD EDIT: Self Promotion Text removed - ChiefGoFor]

Hi rliskey,

You have provided a comprehensive thorough 11 point tutorial.

I feel a bit embarrassed, because I am like the second grade level student in web matters.
However, web matters.
My queries may be too elementary.
I am skipping them.
We will meet again as I grow.


In case you have not already received, here again I express
SPECIAL Thanks to you and all those working for Joomla

I appreciate your professionalism.

[GLOBAL MOD EDIT: Signatures belong in the signature section of your "Profile" - ChiefGoFor]
[GLOBAL MOD EDIT: Self Promotion Text removed - ChiefGoFor]

Hi, I am new to php and Joomla, but have recently installed the last version of the system. Looks very nice and fairly easy to handle. In the security section I am advised to change the setting in the file globals.php in order to improve security.

I would like to ask developers to make the requested change for next version of Joomla since it is not very easy for a newbie like myself to understand how to make the changes necessary.

In the checklist it says:

Here's the correct setting for turning Joomla!'s Register Globals Emulation OFF in the file globals.php:
Quote
define( 'RG_EMULATION', 0 );

How am I supposed to know where to put this line in the file? I just wonder since I myself I have absolutely no clue. :-)

The original section about emulation in the globals.php file looks like this:
if (RG_EMULATION == 0) {
// force register_globals = off
unregisterGlobals();
} else if (ini_get('register_globals') == 0) {
// php.ini has register_globals = off and emulate = on
registerGlobals();
} else {
// php.ini has register_globals = on and emulate = on
// just check for spoofing
checkInputArray( $_FILES );
checkInputArray( $_ENV );
checkInputArray( $_GET );
checkInputArray( $_POST );
checkInputArray( $_COOKIE );
checkInputArray( $_SERVER );

if (isset( $_SESSION )) {
checkInputArray( $_SESSION );
}
}


Where should I include the line define( 'RG_EMULATION', 0 );?
Should this new line replace all of the above, part of it, or just be included whereever?

Cheers,
Lars

Look at the top of the file

Thanks for the quick reply! :-)

Could someone please elaborate on item 5.16:



What exactly does this mean, and how to do it?  I understand how to move  the cache out of the Web root, but the 'images' directory? 

Thanks.
Stephen.

can u tell me where i can write commands to change register globals to off. as u can see i really dont know what to do but i am determined to install joomla, 2 days on it without results. thanks maggie 

You're right, given the current Joomla! design, it would be hard to move the Joomla! "images" directory outside of web_root. What you did with the cache directory is exactly what I meant. Some extensions that provide file upload functions will provide a setting for moving their "image" directories outside of web_root. I was referring to this.

The security FAQs are getting moved to the documentation site. In the meantime, the following link might help.
http://www.ronliskey.com/index.php?opti ... &Itemid=66

Revision 2.0: The Joomla! Administrator's Security Checklist has become a FAQ, in the official Joomla! Help Site.

This new location allows us to expand the information to support more experience levels and server configurations.

Looks good but how do you get to it from the menus

I tried looking in Secure Site Administration



EDIT doh sillyme it was in the first security section

Yep, I think I need to reorganize the FAQ categories a little. Maybe more along the lines of the way the checklist is categorized. What do you think?

Added the following note under the Installation Section:

Before upgrading to Joomla! 1.0.13, read this forum thread discussing incompatible extensions.

This version of Joomla! includes more powerful password encryption functions that break backward compatibility with important extensions that rely on the earlier password format. This includes CommunityBuilder, VirtueMart, and many of the bridges.

I agree with you on your suggestion and would welcome even a brief summery on each of those topics mentioned. Thank you

Hi sorry if this is off the topic a little, but I have installed Joomla! onto my godaddy deluxe shared hosting plan and as I didn't install manually since godaddy has an automatic one set up now for users, I couldn't configure the settings appropriately. I have read a post from someone explaining how to manually install joomla and that was great, but it refers to a pre-installation check with configurations that are needed to run joomla yet I have no access to the config. page, or rather, I don't understand how to access it to set these configs. When I log into my joomla admin page I get a message in red

      (Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * Joomla! RG_EMULATION setting is `ON` instead of `OFF` in file globals.php
      `ON` by default for compatibility reasons)

So I'm assuming I need to change that somehow, but when I contacted godaddy and asked where these settings could be found they said I couldn't get to them. -frustrated sigh-
He did tell me that what I had to do was set up a php .ins file to utilize as a means to access changes. I have no idea what that is or how to do it, and he couldn't really tell me either. Can anyone offer me some help on this. I'm so new to all of this, but I learn quick. Thank you.

In 1.0.13 this is now just a checkbox on the server tab of the Joomla! configuration option.

I'm sorry, I don't understand, but I think you mean I can change the config inside the joomla admin area? Good, because I was really stressing out about that. I'm so new to all of this.-chuckle- I'm glad I asked instead of just trying to  struggle through it like I have always done with most things. Thanks, at least I have some direction now in which to go on.....

In the back end of Joomla choose the "Global Configuration" option on the control panel. Then choose the "Server" tab and the Register Globals (RG = Register Globals) option is at the bottom of the page.