Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu May 17, 2007 3:49 pm
- Contact:
mmmm power
thanks... I'll definitely be keeping a copy of this ready
- webcentred
- Joomla! Enthusiast
- Posts: 182
- Joined: Fri Nov 04, 2005 2:48 pm
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
I am getting this error with JTS and HISA won't work as a result (J!1.0.12 + JTS_v1.0-2RC1)
Parse error: syntax error, unexpected $end in /home/hostedaccount/public_html/mysite/joomlatools/joomla_hisa.php on line 953
Notice: Undefined offset: 1 in /home/hostedaccount/public_html/mysite/joomlatools/joomla_diagnostics.php on line 198
Has anyone encountered these errors? Are they related somehow?
Parse error: syntax error, unexpected $end in /home/hostedaccount/public_html/mysite/joomlatools/joomla_hisa.php on line 953
and in Joomla diagnostics (still works though)
Notice: Undefined offset: 1 in /home/hostedaccount/public_html/mysite/joomlatools/joomla_diagnostics.php on line 198
Notice: Undefined offset: 1 in /home/hostedaccount/public_html/mysite/joomlatools/joomla_diagnostics.php on line 198
';
// print_r($orig);
// echo '';
?>
Has anyone encountered these errors? Are they related somehow?
Last edited by webcentred on Sun Jul 01, 2007 5:30 am, edited 1 time in total.
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
What version of PHP are you running?
Wha is the OS you are running these tools on?
Do any other parts of JTS fail in this manner or similar?
Do any of the previous versions of JTS work? or do they exhibit the same error elsewhere?
Wha is the OS you are running these tools on?
Do any other parts of JTS fail in this manner or similar?
Do any of the previous versions of JTS work? or do they exhibit the same error elsewhere?
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- webcentred
- Joomla! Enthusiast
- Posts: 182
- Joined: Fri Nov 04, 2005 2:48 pm
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
PHP Version: 4.4.4RussW wrote: What version of PHP are you running?
Wha is the OS you are running these tools on?
Do any other parts of JTS fail in this manner or similar?
Do any of the previous versions of JTS work? or do they exhibit the same error elsewhere?
Web Server: Apache/1.3.37 (Unix) mod_fastcgi/2.4.2 mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
Local: Windows XP Firefox 2.x
Some false positives exist (diagnostics) - particularly the JCE mediamanager & administrator templates (index.php index2.php index3.php)
Can't get anything out of HISA - the mainpart of the page won't load.
Unsure if it is related or is working as intended with the database tool but the db optimisation test confirms the integrity of tables, and makes a suggestion whether the database should be optimised, but it doesn't actually suggest how or offer to do so. Show hide works
and I can optimise/repair by phpMyAdmin so this is functional enough I guess.
Cannot find an earlier version of JTS - > have joomla_hisa_en_v1.0-0F_090307 but this also fails with the line 953 error.
Each of these issues are identical across several installations (and at least two redownloads from joomlacode), so it is probably not an FTP issue.
Thanks for your help, and for what seems to be an invaluable tool!
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Apr 12, 2007 3:22 am
- Location: Oregon
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Just wanted to say THANK YOU!!
This tool is AWESOME! Been having weird issues with my install since a backup and reinstall and so far this tool has SOLVED those issues. The feature that compares the files and shows what files is missing is PERFECT! darn ftp software was a PITA and didn't upload everything, but with this tool it solved my issues!
thanks to those who developed it, and maintain it!
This tool is AWESOME! Been having weird issues with my install since a backup and reinstall and so far this tool has SOLVED those issues. The feature that compares the files and shows what files is missing is PERFECT! darn ftp software was a PITA and didn't upload everything, but with this tool it solved my issues!
thanks to those who developed it, and maintain it!
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
@webcentred
To be honest, I haven't seen anything like what you have described with either JTS or HISA and have been unable to re-create your issues.
Only thing I can think of is that your host has some PHP functions disabled and/or safe_mode configured in such a way, as to dis-allow some of the functionality of these tools and the Diagnostic tool.
As for the DataBase Integrity check in JTS, you should see a "Confirm Optimisation" button on the top left hand corner of the page to actually run the optimisation routines.
@kernelphr34k
Thanks for the kind words, glad that the tools have been of use and assisted in resolving your issues. Good luck with your site in future.
To be honest, I haven't seen anything like what you have described with either JTS or HISA and have been unable to re-create your issues.
Only thing I can think of is that your host has some PHP functions disabled and/or safe_mode configured in such a way, as to dis-allow some of the functionality of these tools and the Diagnostic tool.
As for the DataBase Integrity check in JTS, you should see a "Confirm Optimisation" button on the top left hand corner of the page to actually run the optimisation routines.
@kernelphr34k
Thanks for the kind words, glad that the tools have been of use and assisted in resolving your issues. Good luck with your site in future.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 73
- Joined: Fri Jun 29, 2007 11:43 pm
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
This is a lovely tool. It tells me everything in a joomlaish nice little interface. I wish i paid more attention to security earlier but now that i am forced to study the subject.... Nice work.
Check out Bincom ICT Solutions at http://www.bincom.net
Our portfolio contains numerous joomla projects and resource.
http://www.bincom.net/trainingservices/ ... itynigeria is facilitated by Bincom.
Our portfolio contains numerous joomla projects and resource.
http://www.bincom.net/trainingservices/ ... itynigeria is facilitated by Bincom.
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
@badesemowo
Thanks for the kind words, feedback is always very much appreciated. The JTS team and I do hope that you continue to find this tools suite useful in the future.
Thanks for the kind words, feedback is always very much appreciated. The JTS team and I do hope that you continue to find this tools suite useful in the future.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Hi RussW,
I used JTS to detect the Expose hole, but it didn't point (_valid_mos line missing) the suspicious files (uploadimg.php and uploadimage.php). Could this be a bug?
I used JTS to detect the Expose hole, but it didn't point (_valid_mos line missing) the suspicious files (uploadimg.php and uploadimage.php). Could this be a bug?
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
@tokapi
Will look into it over the next few days, I am thinking it should have done, but also JTS is not directly coded for specific exploits.....
Thanks for the feedback.....
Will look into it over the next few days, I am thinking it should have done, but also JTS is not directly coded for specific exploits.....
Thanks for the feedback.....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Tried to run "Generate Custom Diagnostic Hash" but I got the folowing errors:
Warning: opendir(/home/xxxxxx/u/xxxxxx/user/htdocs/cgi-bin) [function.opendir]: failed to open dir: Permission denied in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 552
Warning: readdir(): supplied argument is not a valid Directory resource in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 554
Warning: closedir(): supplied argument is not a valid Directory resource in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 571
Any ideas?
Warning: opendir(/home/xxxxxx/u/xxxxxx/user/htdocs/cgi-bin) [function.opendir]: failed to open dir: Permission denied in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 552
Warning: readdir(): supplied argument is not a valid Directory resource in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 554
Warning: closedir(): supplied argument is not a valid Directory resource in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 571
Any ideas?
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Did you follow the instructions and make the custom hash file temporarily writable? Depending on your configuration, you may also need to make your "jts" directory writable temporarily (just whilst you make the hash)
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
I've tried that but I still get the same error. I also get the following error further down the page:
Fatal error: Allowed memory size of 20971520 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428
It then goes on to say "Building new MD5 hashs of the current Joomla! site...." and then lists all the files.
Fatal error: Allowed memory size of 20971520 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428
It then goes on to say "Building new MD5 hashs of the current Joomla! site...." and then lists all the files.
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Then you need to increase the amount of memory that PHP is allowed to use to run the script, try setting ;
at the top of the index.php file......ini_set("memory_limit","32M");
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
I take it that you meant your index.php file? If that's the case I've tried that and still no luck.
Now get this at the bottom of the page:
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428
Errors at the top are still the same.
Now get this at the bottom of the page:
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428
Errors at the top are still the same.
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Try upping it to 64MB..........
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Nope... now get:
Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428
Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 17750456 bytes) in /home/xxxxxx/u/xxxxxx/user/htdocs/jts/joomla_diagnostics.php on line 428
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Could it be file permissions
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Try re-FTPing up all the files again, incase you have some other corruption in there from the upload , make sure you have Overwrite on and no more than 2 simulataneous streams
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Tried that... no luck
I take it the dir/file permissons should be:
Dir's = 755
Files = 644
I take it the dir/file permissons should be:
Dir's = 755
Files = 644
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
The directory and the custom hash file need to be "writable" to your webserver during creation, but only 755 (directories) and 644 (Files) after that.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Yup... done that and still no luck
Still same errors btw.
Still same errors btw.
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
absolutely no idea's then, especially as I am assuming that the rest of the Tools work on your server. Correct me if i am wrong.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
You are correct... everything else seems to work OK. I will keep digging and let you know if it gets solved.
Oh yes, even though I've had a few teething problems this looks like a great set of tools so keep up the good work.
BTW I've been meaning to say something about that hat, I'm sure it's needed with all that Oz sunshine, but I'm not sure about that red nose
Oh yes, even though I've had a few teething problems this looks like a great set of tools so keep up the good work.
BTW I've been meaning to say something about that hat, I'm sure it's needed with all that Oz sunshine, but I'm not sure about that red nose
-
- Joomla! Intern
- Posts: 90
- Joined: Tue Nov 01, 2005 11:25 am
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Is there an update for 1.0.13 ?
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
1.0.13 hash is coming for the released version, it has been ready with RC1 hash for awhile now....
The red-nose works great for getting free drinks from punters on RedNose Day
The red-nose works great for getting free drinks from punters on RedNose Day
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- sherif
- Joomla! Ace
- Posts: 1560
- Joined: Fri Jan 12, 2007 12:15 am
- Location: Dikirnis , Egypt :: دكرنس ، مصر
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
sorry folks but I HAD IT
tools are great , congrates RussW and all the team
however , would you please tell me how do that helps in securing 1000's of joomla sites ? its really confusing for me and many others when i read this :
i have installed joomla many many times , read all i can found about security , and i didn't try any other CMS till now except for joomla , i love it , i recommend it to all the people i know , but when it comes to file and folder permissions , we get no clear answer , putting in mind that "WE" means people who would love to have a beautifull interactive site with opensource CMS , and don't want to be experts in website security !!
if that is the case for all CMS out there , opensource or paid for , i find it very logical to stick to html simple pages with a few free services like auto responders and forms , etc .
all these details , evergoing modificatios , security alerts and updates , certain kind of hosting or you'll get problems , components modules mambots , which is safe and which is not etc etc ,
and in the middle of this race , some upgrade comes out tellining us , kiss your website good bye and start from scratch , and currently there are all kind of questions about numerous versions and problems reelated to it , then i look at the 1.5 which i never tried to even read about it , we have to wait to get the perfect release , which will take the focus , and start new questions and new issues to work on .
i know that the answer would be : this is how it takes , if you can't deal with it , you better find something else you can understand , and my answer for that would be : ok good , but i hope someday you reach to launch a FINAL STABLE RELEASE , which will need a FEW steps to make and a FEW updates to apply , then delete those old versions with its addons forever .
cheers
tools are great , congrates RussW and all the team
however , would you please tell me how do that helps in securing 1000's of joomla sites ? its really confusing for me and many others when i read this :
then i read again in the same spot :In order for Joomla! to function correctly it needs to be able to access or write to certain files or directories.
If you see "Unwriteable" you need to change the permissions on the file or directory to allow Joomla! to write to it.
i don't mean to get so negative here , but although i'm very familiar with joomla and read in this forum 100's of issues and how solve it or work around it , in fact i did my share of helping others and exchanging knowledge about it , but i can't help it anymore , this is getting so complicated that what is clear and safe now , won't be so the same next couple of hours .Mode Security:
RED The Directory is World Writable, this might expose your site to unwanted access or exploits
BLUE No `Execute` or `Read` bit set, file execution may be problematic in this directory
GREEN These permissions are reasonably sane, but may still require review. (Default Unix directory Mode is normally: `0755`)
i have installed joomla many many times , read all i can found about security , and i didn't try any other CMS till now except for joomla , i love it , i recommend it to all the people i know , but when it comes to file and folder permissions , we get no clear answer , putting in mind that "WE" means people who would love to have a beautifull interactive site with opensource CMS , and don't want to be experts in website security !!
if that is the case for all CMS out there , opensource or paid for , i find it very logical to stick to html simple pages with a few free services like auto responders and forms , etc .
all these details , evergoing modificatios , security alerts and updates , certain kind of hosting or you'll get problems , components modules mambots , which is safe and which is not etc etc ,
and in the middle of this race , some upgrade comes out tellining us , kiss your website good bye and start from scratch , and currently there are all kind of questions about numerous versions and problems reelated to it , then i look at the 1.5 which i never tried to even read about it , we have to wait to get the perfect release , which will take the focus , and start new questions and new issues to work on .
i know that the answer would be : this is how it takes , if you can't deal with it , you better find something else you can understand , and my answer for that would be : ok good , but i hope someday you reach to launch a FINAL STABLE RELEASE , which will need a FEW steps to make and a FEW updates to apply , then delete those old versions with its addons forever .
cheers
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
@sherif
Can you please describe your problem in more detail, I am not sure I actually understand your issue with JTS/HISA.
The fact that different servers, Apache and PHP can have many many different configuration and setups makes it impossible to cover all events that might occur. Using the words "Writable" and "UnWritable" are better than using specific permissions settings (777 or 755 for example) because the permissions required will be different on some server configurations, also depending on whether an SuExec facility is installed.
Please refer to the following FAQ's for more information:
- http://help.joomla.org/component/option ... temid,268/
- http://help.joomla.org/component/option ... temid,268/
- http://www.joomlatutorials.com/faq/view ... ec/60.html
Can you please describe your problem in more detail, I am not sure I actually understand your issue with JTS/HISA.
The fact that different servers, Apache and PHP can have many many different configuration and setups makes it impossible to cover all events that might occur. Using the words "Writable" and "UnWritable" are better than using specific permissions settings (777 or 755 for example) because the permissions required will be different on some server configurations, also depending on whether an SuExec facility is installed.
Please refer to the following FAQ's for more information:
- http://help.joomla.org/component/option ... temid,268/
- http://help.joomla.org/component/option ... temid,268/
- http://www.joomlatutorials.com/faq/view ... ec/60.html
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- sherif
- Joomla! Ace
- Posts: 1560
- Joined: Fri Jan 12, 2007 12:15 am
- Location: Dikirnis , Egypt :: دكرنس ، مصر
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
Dear RussWRussW wrote: @sherif
Can you please describe your problem in more detail, I am not sure I actually understand your issue with JTS/HISA.
i'm very proud and thankful to tell you that i installed JTS/HISA in a few seconds , it works like charm , i didn't have any kind of problem with it ...... and my problem in more details , is the result pages i got . this great tool told me in a few words that i have many folder permissions set to writable which is good enough for joomla to work fine , and in the same time , the same page tells me that this might expose my site to unwanted access or exploits ..... so what should i do ? let it as it is and expose my site to the mentioned issues , or make it unwritable and stop joomla from running ?
simple Question , do you have a simple answer for that ?
that would really amaze me !!
thanks for the links and for your quick reply
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool
sheirf
As you suspect, I am very unlikely to have a "quick" or "short" answer for you, unfortunately the different methods of server configuration just do not allow for this.
As best I can;
If JTS/HISA shows you "Green / Writable" - this is good for Joomla! functionality, however,
In General This can also mean one of two things:
I say "In General" because I have come across other server configurations that make extensive use of what is called
"Sticky Bits" or non-standard UMask's (Unix'y Administration type stuff) and the use of this functionality changes the
characteristics of what we commonly understand of permissions.
* Directory Permissions are set at or below 755 and the server is likely to have some form of SuExec facility
- This is good for both Joomla! functionality and Security
- Shared Server Security is still of concern
- File-Ownership issues are less likely to be observed
* Directory Permissions are set to 777 or 707 and there is probably no SuExec facility installed
- This can lead to server/site exposure due to elevated permissions
- Exposure is increased on shared servers
- Exposure is increased vastly if Joomla! RG_EMULATION is ON
- Exposure is increased vastly if PHP register_globals is ON
> Vulnerable Extensions are a major exposure
> XSS vulnerabilities are exposed more
- File-Ownership issues are more likely to be observed
If JTS/HISA shows you "Red / UnWritable" - this is good for Security. However, some Joomla! (and any other Web-Based Application or Framework for that matter) functionality may be reduced, such as file uploads through the WebUI, Search Facilities, dynamically updated configurations etc.
So, as you can see, Security and Functionality is always a trade-off or balance between requirements and needs, the Tools Suite tries to balance that fine line but in this particular area of the Tool, it is not possible to make a "set" recommendation, all we can do is provide you with the information to assess the situation yourself. Bare in mind that not all directories within the Joomla! framework need to be "writable" at all times. If you are hosting on a server without SuExec and to allow the Web-Server to write to directories requires 777/707, then you could manually set the permissions as and when you need to.
For example;
A) It is not everyday that you install components, modules, mambots or templates
B) If you have no need to upload images on a regular basis through the WebUI
- You can lock down those directories for normal operations and only elevate the permissions
when required reseting them back after success installation.
- FTP required images in to the " images/stories/ " direcotry instead of WebUI upload.
So at the end of the day, there really isn't a "short" answer, but is there a possible good answer? For sure.....
Ensure that you host with a reputable provider, who is security conscious but not to the extreme, running PHP5 as a CGI (not an Apache Module) and has a (php)SuExec facility installed.
I do hope this post and the FAQ's help make things a little clearer for you, this is, and will always be a "contentious" topic and unfortunately will not be solved in the short-term.
As you suspect, I am very unlikely to have a "quick" or "short" answer for you, unfortunately the different methods of server configuration just do not allow for this.
As best I can;
If JTS/HISA shows you "Green / Writable" - this is good for Joomla! functionality, however,
In General This can also mean one of two things:
I say "In General" because I have come across other server configurations that make extensive use of what is called
"Sticky Bits" or non-standard UMask's (Unix'y Administration type stuff) and the use of this functionality changes the
characteristics of what we commonly understand of permissions.
* Directory Permissions are set at or below 755 and the server is likely to have some form of SuExec facility
- This is good for both Joomla! functionality and Security
- Shared Server Security is still of concern
- File-Ownership issues are less likely to be observed
* Directory Permissions are set to 777 or 707 and there is probably no SuExec facility installed
- This can lead to server/site exposure due to elevated permissions
- Exposure is increased on shared servers
- Exposure is increased vastly if Joomla! RG_EMULATION is ON
- Exposure is increased vastly if PHP register_globals is ON
> Vulnerable Extensions are a major exposure
> XSS vulnerabilities are exposed more
- File-Ownership issues are more likely to be observed
If JTS/HISA shows you "Red / UnWritable" - this is good for Security. However, some Joomla! (and any other Web-Based Application or Framework for that matter) functionality may be reduced, such as file uploads through the WebUI, Search Facilities, dynamically updated configurations etc.
So, as you can see, Security and Functionality is always a trade-off or balance between requirements and needs, the Tools Suite tries to balance that fine line but in this particular area of the Tool, it is not possible to make a "set" recommendation, all we can do is provide you with the information to assess the situation yourself. Bare in mind that not all directories within the Joomla! framework need to be "writable" at all times. If you are hosting on a server without SuExec and to allow the Web-Server to write to directories requires 777/707, then you could manually set the permissions as and when you need to.
For example;
A) It is not everyday that you install components, modules, mambots or templates
B) If you have no need to upload images on a regular basis through the WebUI
- You can lock down those directories for normal operations and only elevate the permissions
when required reseting them back after success installation.
- FTP required images in to the " images/stories/ " direcotry instead of WebUI upload.
So at the end of the day, there really isn't a "short" answer, but is there a possible good answer? For sure.....
Ensure that you host with a reputable provider, who is security conscious but not to the extreme, running PHP5 as a CGI (not an Apache Module) and has a (php)SuExec facility installed.
I do hope this post and the FAQ's help make things a little clearer for you, this is, and will always be a "contentious" topic and unfortunately will not be solved in the short-term.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/