Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool

[eyashwant]

Ok...so if its is moving forward also the version problem persists right.Thats the only problem!!!

[deleted user]

Is it really moving forward? Great ideas for it, back in July '08.

Has anyone checked out this Joomla security scanner script on Sourceforge?
http://forum.joomla.org/viewtopic.php?f ... 12&start=0

On a quick search, I don't see anything coming up on the developer, the "Elite/Ethical Hacker Group" based in Myanmar

[vdrover]

I heard on the grapevine that there was some activity forthcoming, but that was a while back. Seems quite slow these days.

http://joomlacode.org/gf/project/jts/news/

[kenmcd]

.

I heard on the grapevine that there was some activity forthcoming, but that was a while back. Seems quite slow these days.

http://joomlacode.org/gf/project/jts/news/

Hi Vic,

I see you are now on the JED Team. (congrats)
Perhaps you could ask the "team" why this extension is still an Editor's Choice.
It is completely out of date for Joomla 1.5.x and does not work at all for a current J1.5 versions.
Last update was over 9-10 months ago.

Certainly when JED goes J1.5-only this should not be an Editor's Choice.
And probably should not be now.

Regards,

KM

[vdrover]

Thanks Ken.

I'm still pretty green 'round these parts but i'll enquire and see what happens.

[RussW]

Joomla! Tools Suite v2.0.0-BETA is available for testing and comment.

Apart from the traditional JTS Tests, v2.0.0 now also attempts to write and read a directory to prove permissions capabilities, new tests covering four categories/section, as seen in the screen shot below.
[hint] Place your mouse over "What's being tested?" to learn more about JTS tests...

Download: http://joomlacode.org/gf/project/jts/fr ... ge_id=3278

Installation: upload the complete "JTS2" directory in to the directory you have Joomla! Installed
Example:
Site is at: http://www.domain.com.au/cms/ , then upload the "JTS2/" directory to "cms/"
thus JTS2 would be found in "cms/JTS2/" or at http://www.domain.com.au/cms/JTS2/

J! Version Support: 1.0.1x & 1.5.x

SnapShot:

jts2_beta_release.gif

[kenmcd]

.
Great - will test.

It may be a good idea to split this new v2.0 discussion and move it to the Joomla 1.5 forums.

[deleted user]

Excellent!

[vdrover]

wow, i was starting to lose hope. Great job.

[perko]

Great txn!

I have this error at the top of the page showin:


Notice: Use of undefined constant _JTS_SHOTNAME - assumed '_JTS_SHOTNAME' in /home/mypage/public_html/JTS2/jtscore/language/english.php on line 188

what should I do

cheers

[RussW]

Thanks for the update, It's a typo nothing to worry about, fixed in the next release.

[Aejaz]

I'm having a lot of notices

Notice: Undefined variable: _JINSTALL_ERR_MSG in /home/ingeekst/public_html/JTS2/jtscore/structure/message_centre.php on line 32
Notice: Undefined variable: _JINSTALL_ERR_MSG in /home/ingeekst/public_html/JTS2/jtscore/structure/message_centre.php on line 36
Notice: Undefined variable: _JINSTALL_ERR_MSG in /home/ingeekst/public_html/JTS2/jtscore/structure/message_centre.php on line 40
Notice: Undefined variable: _JVERSION_ERR_MIN in /home/ingeekst/public_html/JTS2/jtscore/structure/message_centre.php on line 50
Notice: Undefined variable: _JINSTALL_ERR_DB in /home/ingeekst/public_html/JTS2/cases/basic_assurance.php on line 968
Notice: Undefined variable: _JCONFIG_ERR_EMPTY in /home/ingeekst/public_html/JTS2/cases/basic_assurance.php on line 972
Notice: Undefined variable: _JCFG_PROB in /home/ingeekst/public_html/JTS2/cases/basic_assurance.php on line 978

so many i cannot read all the "what's being tested" result.

what can i do ?

[RussW]

Edit the JTS2/index.php and either comment out or remove the following (at the top of the file)

error_reporting( E_ALL );

See if that makes a difference.

[Aejaz]

Thanks RussW, I commented the line with // and it removes all the notices.

What are these notices ? Does it means it doesn't perform all the checks ?

[RussW]

it is purely for reporting ALL PHP messages, including simple notices. It is used primarily during testing and development so any output from PHP can be observed and problems resolved that might not actually stop the script from running.

Even with these messages, JTS2 continues to run all tests, as expected.

[Aejaz]

you did a great job my friend

[deleted user]

Works fine for me, but I am not a fan of the forced creation of the JTS2_RW_check folder. I'd prefer at least to name it something more non-descript.

Under "server security," what is "disabled_functions in use" checking for? Just whether any functions are disabled with disable_functions, or specific ones?

The info link on mySQL should not point to http://www.mysql.net/ -- it should be mysql.COM

[Aejaz]

Secuirty should be corrected

[deleted user]

I am getting a red light on "allow_url_fopen disabled" (server security section) even though it is off (master and local settings).

This is on Media Temple's (gs) where allow_url_fopen is disabled by default.

Maybe something about the virtualized hosting or CGIed PHP blows the test?

[deleted user]

I am getting a red light on "allow_url_fopen disabled" (server security section) even though it is off (master and local settings).

This is on Media Temple's (gs) where allow_url_fopen is disabled by default.

Maybe something about the virtualized hosting or CGIed PHP blows the test?

[guysmiley]

Russ, I loved JTS when it was first brought out and I'm sure it helped tonnes of users. Great contribution! Not to mention your countless hours of support...

Issue 1:
I too am getting a red flag on allow_url_fopen disabled. I thought this was supposed to be disabled for security purposes, no?

Issue 2:
Notice: Use of undefined constant _JTS_SHOTNAME - assumed '_JTS_SHOTNAME' in /home/techtalk/public_html/jts/jtscore/language/english.php on line 188

Issue 3:
(Not really JTS but I was hoping JTS would help me troubleshoot it) My front end users cannot log out. JTS shows that 'PHP session writable' is greyed-out (I presume means not configured correctly). Is this the like culprit?

Thanks as always - and a great addition to the JCommunity.

[RussW]

Hey guys

I will look at the issues raised in the next week or so, thanks for testing and checking stuff for me.

The UNDEFINED VARIABLE is a typo, my bad, will be fixed in the next release.

As for the logout problem, yup it is very possible if the session directory is misconfigured that you could have issues like this, mainly with the admin site, but end users may also observe oddities too.

[Jocke72]

Great stuff!

But...

It claims that default Admin is available (even if it's blocked and just set to registered).
If I totally remove the user Admin then JTS2 no longer works. It just posts the graphical head and then terminates without any error message.

Running the latest version of JTS2 at the time of this post.
Joomla 1.5.9


Thanks!


/J

[RussW]

@Jocke72

Thanks for using JTS2, your crash issue with no UID62 user, is fixed in the next release.

JTS2 is actually reporting as designed if the admin user is simply blocked but still named "admin".

If the user account UID62, is still named "admin" regardless of being blocked, it is still available and as such is reported correctly, as still being present. JTS2 is checking that the "username" is not the default of "admin" or is physically not there not there.

cheers

[RussW]

JTS2.0.0-BETA2 is now available on JoomlaCode ( http://joomlacode.org/gf/project/jts/fr ... se_id=9694 )

1. Now includes JTS-post
- certain errors reported in the Assurance Tests now provide an option to send error directly to JTS-post output
2. User Interface updated
3. Hopefully fixed all the typo's
4. Fixed allow_url_fopen mis-configured
5. Now Displays any disbaled PHP functions, for reference
6. Fixed MySQL site link
7. Added "Help" & "About JTS"
8. Added "3rd Party Support" logo option ( see help and read "jtscore/c3ps/c3ps.php" )
9. Added "Dual Version Found" reporting poor J1.x to J1.5 upgrade process, upgrade in same directory)

JTS2.0.0-BETA2.gif

[Aejaz]

great! you rock

[Jocke72]

Great!

But I found a potential bug: (or it's just me)

JTS2
Joomla! Enironment
- PHP Magic Quotes On

Is grey.

JTS2/index.php?option=4
- PHP Environment Discovery
- magic_quotes_gpc

Disabled and it's in red...

It's supposed to be disabled isn't it? To me, it then should be grey or green.

In Joomla Admin, if I check: Relevant PHP Settings
Magic Quotes: Off

This is what my php.ini file looks like:
register_globals=off
allow_url_fopen=off
display_errors=off
magic_quotes_gpc=off
magic_quotes_runtime=Off
magic_quotes_sybase=Off


JTS2
System Security
- open_basedir present

The link points to:
http://www.php.net/manual/en/features.s ... en-basedir

Seems incorrect?


A note regarding the fancy scrolling "What's beeing tested?":

I would like it to open and close on click, instead of MouseOver. But that may be just me.


Keep up the great work!


/J

[glwright]

Just tried JTS2. Looks like a great tool but a lot of this security stuff is new to me. It shows red or gray on several items and I click the link but it just takes me to the docs instead of giving any recommendation or more importantly why it should be something different. Something like on or off is fairly obvious but why is not always obvious. I would like to see a definite recommendation of what needs to be changed and a solid reason for why plus any potential side effects. Also, in some cases its not even obvious what to change or how to change it.

[RussW]

Albeit slow progress, JTS2 is being updated and more information, assistance and functionality will be added over time. Currently, JTS2 messages point to area's that need research or review and merely provides links to relevant self-study information.

[deleted user]

glwright,

It is probably not possible or desirable to try to make a diagnostic system where the code is expected to assess each user's unique server arrangement and make decisions for them that the users do not understand.

In teaching myself these things, I eventually consolidated the stuff I learned from some books, this forum, the Joomla docs, and other sources--it's all here:

http://www.newlocalmedia.com/learn/17-d ... b-cow.html

Revision suggestions always welcome.