Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool

[goAWAYdaddy]

thanks... I'll definitely be keeping a copy of this ready

[webcentred]

I am getting this error with JTS and HISA won't work as a result (J!1.0.12  + JTS_v1.0-2RC1)

Parse error: syntax error, unexpected $end in /home/hostedaccount/public_html/mysite/joomlatools/joomla_hisa.php on line 953

and in Joomla diagnostics (still works though)

  Notice: Undefined offset: 1 in /home/hostedaccount/public_html/mysite/joomlatools/joomla_diagnostics.php on line 198

  ';
//  print_r($orig);
//  echo '';
  ?>
 

Notice: Undefined offset: 1 in /home/hostedaccount/public_html/mysite/joomlatools/joomla_diagnostics.php on line 198


Has anyone encountered these errors? Are they related somehow?

[RussW]

What version of PHP are you running?
Wha is the OS you are running these tools on?
Do any other parts of JTS fail in this manner or similar?

Do any of the previous versions of JTS work? or do they exhibit the same error elsewhere?

[webcentred]

What version of PHP are you running?
Wha is the OS you are running these tools on?
Do any other parts of JTS fail in this manner or similar?

Do any of the previous versions of JTS work? or do they exhibit the same error elsewhere?

PHP Version: 4.4.4

Web Server: Apache/1.3.37 (Unix) mod_fastcgi/2.4.2 mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b

Local: Windows XP Firefox 2.x

Some false positives exist (diagnostics) - particularly the JCE mediamanager & administrator templates (index.php index2.php index3.php)

Can't get anything out of HISA - the mainpart of the page won't load.

Unsure if it is related or is working as intended with the database tool but the db optimisation test confirms the integrity of tables, and makes a suggestion whether the database should be optimised, but it doesn't actually suggest how or offer to do so. Show hide works
and I can optimise/repair by phpMyAdmin so this is functional enough I guess.

Cannot find an earlier version of JTS - > have joomla_hisa_en_v1.0-0F_090307 but this also fails with the line 953 error.

Each of these issues are identical across several installations (and at least two redownloads from joomlacode), so it is probably not an FTP issue.

Thanks for your help, and for what seems to be an invaluable tool!

[kernelphr34k]

Just wanted to say THANK YOU!!

This tool is AWESOME! Been having weird issues with my install since a backup and reinstall and so far this tool has SOLVED those issues. The feature that compares the files and shows what files is missing is PERFECT! darn ftp software was a PITA and didn't upload everything, but with this tool it solved my issues!

thanks to those who developed it, and maintain it!

[RussW]

@webcentred

To be honest, I haven't seen anything like what you have described with either JTS or HISA and have been unable to re-create your issues.

Only thing I can think of is that your host has some PHP functions disabled and/or safe_mode configured in such a way, as to dis-allow some of the functionality of these tools and the Diagnostic tool.

As for the DataBase Integrity check in JTS, you should see a "Confirm Optimisation" button on the top left hand corner of the page to actually run the optimisation routines.


@kernelphr34k
Thanks for the kind words, glad that the tools have been of use and assisted in resolving your issues. Good luck with your site in future.

[badesemowo]

This is a lovely tool. It tells me everything in a joomlaish nice little interface. I wish i paid more attention to security earlier but now that i am forced to study the subject.... Nice work.

[RussW]

@badesemowo

Thanks for the kind words, feedback is always very much appreciated. The JTS team and I do hope that you continue to find this tools suite useful in the future.

[Tokapi]

Hi RussW,

I used JTS to detect the Expose hole, but it didn't point (_valid_mos line missing) the suspicious files (uploadimg.php and uploadimage.php). Could this be a bug?

[RussW]

@tokapi

Will look into it over the next few days,  I am thinking it should have done, but also JTS is not directly coded for specific exploits.....

Thanks for the feedback.....

[Fletch]

Tried to run "Generate Custom Diagnostic Hash" but I got the folowing errors:

Warning: opendir(/home/xxxxxx/u/xxxxxx/user/htdocs/cgi-bin) [function.opendir]: failed to open dir: Permission denied in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 552

Warning: readdir(): supplied argument is not a valid Directory resource in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 554

Warning: closedir(): supplied argument is not a valid Directory resource in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 571

Any ideas?

[RussW]

Did you follow the instructions and make the custom hash file temporarily writable? Depending on your configuration, you may also need to make your "jts" directory writable temporarily (just whilst you make the hash)

[Fletch]

I've tried that but I still get the same error. I also get the following error further down the page:

Fatal error: Allowed memory size of 20971520 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428

It then goes on to say "Building new MD5 hashs of the current Joomla! site...." and then lists all the files.

[RussW]

Then you need to increase the amount of memory that PHP is allowed to use to run the script,  try setting ;

  ini_set("memory_limit","32M");

at the top of the index.php file......

[Fletch]

I take it that you meant your index.php file? If that's the case I've tried that and still no luck.

Now get this at the bottom of the page:

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428


Errors at the top are still the same.

[RussW]

Try upping it to 64MB.......... 

[Fletch]

Nope... now get:

Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428

[Fletch]

Could it be file permissions 

[RussW]

Try re-FTPing up all the files again, incase you have some other corruption in there from the upload , make sure you have Overwrite on and no more than 2 simulataneous streams

[Fletch]

Tried that... no luck 

I take it the dir/file permissons should be:

Dir's = 755
Files = 644

[RussW]

The directory and the custom hash file need to be "writable" to your webserver during creation, but only 755 (directories) and 644 (Files) after that.

[Fletch]

Yup... done that and still no luck 

Still same errors btw.

[RussW]

absolutely no idea's then, especially as I am assuming that the rest of the Tools work on your server. Correct me if i am wrong.

[Fletch]

You are correct... everything else seems to work OK. I will keep digging and let you know if it gets solved.

Oh yes, even though I've had a few teething problems this looks like a great set of tools so keep up the good work.

BTW I've been meaning to say something about that hat, I'm sure it's needed with all that Oz sunshine, but I'm not sure about that red nose 

[Fletch]

Is there an update for 1.0.13 ?

[RussW]

1.0.13 hash is coming for the released version,  it has been ready with RC1 hash for awhile now....

The red-nose works great for getting free drinks from punters on RedNose Day

[sherif]

sorry folks but I HAD IT
tools are great , congrates RussW and all the team
however , would you please tell me how do that helps in securing 1000's of joomla sites ? its really confusing for me and many others when i read this :

In order for Joomla! to function correctly it needs to be able to access or write to certain files or directories.

If you see "Unwriteable" you need to change the permissions on the file or directory to allow Joomla! to write to it.

then i read again in the same spot :

Mode Security:
RED The Directory is World Writable, this might expose your site to unwanted access or exploits
BLUE No `Execute` or `Read` bit set, file execution may be problematic in this directory
GREEN These permissions are reasonably sane, but may still require review. (Default Unix directory Mode is normally: `0755`)

i don't mean to get so negative here , but although i'm very familiar with joomla and read in this forum 100's of issues and how solve it or work around it , in fact i did my share of helping others and exchanging knowledge about it , but i can't help it anymore , this is getting so complicated that what is clear and safe now , won't be so the same next couple of hours .
i have installed joomla many many times , read all i can found about security , and i didn't try any other CMS till now except for joomla , i love it , i recommend it to all the people i know , but when it comes to file and folder permissions , we get no clear answer , putting in mind that "WE" means people who would love to have a beautifull interactive site with opensource CMS , and don't want to be experts in website security !!
if that is the case for all CMS out there , opensource or paid for , i find it very logical to stick to html simple pages with a few free services like auto responders and forms , etc .
all these details , evergoing modificatios , security alerts and updates , certain kind of  hosting or you'll get problems , components modules mambots , which is safe and which is not etc etc ,
and in the middle of this race , some upgrade comes out tellining us , kiss your website good bye and start from scratch , and currently there are all kind of questions about numerous versions and problems reelated to it , then i look at the 1.5 which i never tried to even read about it , we have to wait to get the perfect release , which will take the focus , and start new questions and new issues to work on .
i know that the answer would be : this is how it takes , if you can't deal with it , you better find something else you can understand , and my answer for that would be : ok good , but i hope someday you reach to launch a FINAL STABLE RELEASE , which will need a FEW steps to make and a FEW updates to apply , then delete those old versions with its addons forever .
cheers

[RussW]

@sherif
Can you please describe your problem in more detail, I am not sure I actually understand your issue with JTS/HISA.

The fact that different servers, Apache and PHP can have many many different configuration and setups makes it impossible to cover all events that might occur. Using the words "Writable" and "UnWritable" are better than using specific permissions settings (777 or 755 for example) because the permissions required will be different on some server configurations, also depending on whether an SuExec facility is installed.

Please refer to the following FAQ's for more information:

  - http://help.joomla.org/component/option ... temid,268/
  - http://help.joomla.org/component/option ... temid,268/
  - http://www.joomlatutorials.com/faq/view ... ec/60.html

[sherif]

@sherif
Can you please describe your problem in more detail, I am not sure I actually understand your issue with JTS/HISA.

Dear RussW
i'm very proud and thankful to tell you that i installed JTS/HISA in a few seconds , it works like charm , i didn't have any kind of problem with it ...... and my problem in more details , is the result pages i got . this great tool told me in a few words that i have many folder permissions set to writable which is good enough for  joomla to work fine , and in the same time , the same page tells me that this might expose my site to unwanted access or exploits ..... so what should i do ? let it as it is and expose my site to the mentioned issues , or make it unwritable and stop joomla from running ?

simple Question , do you have a simple answer for that ?
that would really amaze me !!
thanks for the links and for your quick reply

[RussW]

sheirf

As you suspect, I am very unlikely to have a "quick" or "short" answer for you, unfortunately the different methods of server configuration just do not allow for this.

As best I can;

  If JTS/HISA shows you "Green / Writable" - this is good for Joomla! functionality, however,

    In General This can also mean one of two things:
    I say "In General" because I have come across other server configurations that make extensive use of what is called
    "Sticky Bits" or non-standard UMask's (Unix'y Administration type stuff) and the use of this functionality changes the
    characteristics of what we commonly understand of permissions.

    * Directory Permissions are set at or below 755 and the server is likely to have some form of SuExec facility
      - This is good for both Joomla! functionality and Security
      - Shared Server Security is still of concern
      - File-Ownership issues are less likely to be observed

    * Directory Permissions are set to 777 or 707 and there is probably no SuExec facility installed
      - This can lead to server/site exposure due to elevated permissions
      - Exposure is increased on shared servers
      - Exposure is increased vastly if Joomla! RG_EMULATION is ON
      - Exposure is increased vastly if PHP register_globals is ON
        > Vulnerable Extensions are a major exposure
        > XSS vulnerabilities are exposed more
      - File-Ownership issues are more likely to be observed

If JTS/HISA shows you "Red / UnWritable" - this is good for Security. However, some Joomla! (and any other Web-Based Application or Framework for that matter) functionality may be reduced, such as file uploads through the WebUI, Search Facilities, dynamically updated configurations etc.

So, as you can see, Security and Functionality is always a trade-off or balance between requirements and needs, the Tools Suite tries to balance that fine line but in this particular area of the Tool, it is not possible to make a "set" recommendation, all we can do is provide you with the information to assess the situation yourself. Bare in mind that not all directories within the Joomla! framework need to be "writable" at all times. If you are hosting on a server without SuExec and to allow the Web-Server to write to directories requires 777/707, then you could manually set the permissions as and when you need to.

For example;

A) It is not everyday that you install components, modules, mambots or templates
B) If you have no need to upload images on a regular basis through the WebUI

    - You can lock down those directories for normal operations and only elevate the permissions
      when required reseting them back after success installation.
    - FTP required images in to the " images/stories/ " direcotry instead of WebUI upload.


So at the end of the day, there really isn't a "short" answer, but is there a possible good answer? For sure.....

Ensure that you host with a reputable provider, who is security conscious but not to the extreme, running PHP5 as a CGI (not an Apache Module) and has a (php)SuExec facility installed.

I do hope this post and the FAQ's help make things a little clearer for you, this is, and will always be a "contentious" topic and unfortunately will not be solved in the short-term.