Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool

[Epsylon]

French translation in progress ...

[RussW]

@Epsylon

Thats fantastic, thank you... as I said to Markku earlier, if you could hold off on the translation, and I will implement proper language file and auto-selection over the coming weeks, which will make it easier to translate than looking through my code, which stil needs the messages spell checked.

But, dont run a away, I will certianly be asking you to complete you offer again, in the very near future.

[Epsylon]

Translation testing in progress ...

Well at the moment I've "only" translated the english file I found in the languages directory of JTS, anyway it works already, so we should share it. AS a moderator in the french forum , this tool will save I don't know how many of my hours !

[Epsylon]

Could you check what's wrong in my file please ? i don't understand why the submenus don't appear anymore :s

I guess there's an issue with the "\" I need to use, but I don't know what to replace instead of it ...

[nyarnon]

Is there beside me be an utter idiot a plausible reason why core diagnostics would flag /COPYRIGHT.php as altered and dangerous where is is every single bit = COPYRIGHT.php as distributed. Anyway it looks like it flags every single file.

[RussW]

  1) Which version of JTS are you using?
  2) Is it the StandAlone or Component Version?
  3) What Version of Joomla! are you running it against?    [edit] Beta1, RC1, RC2, RC3, SVN?
  4) What Platform are you using? (WinTel, Unix, Linux, Mac)

Some useful information to work with would be nice.....!

[edit] Add more specific Version question...

[RussW]

@Epsylon

will try and get to look at your file over the weekend.... I haven't forgotten it.....

[nyarnon]

  1) Which version of JTS are you using?

JTS 1.0.2F ( english )

  2) Is it the StandAlone or Component Version?

Stand Alone

  3) What Version of Joomla! are you running it against?    [edit] Beta1, RC1, RC2, RC3, SVN?

Joomla! :: Diagnostics for Joomla! 1.0.13

4) What Platform are you using? (WinTel, Unix, Linux, Mac)

  - Platform  Windows NT 5.1 build 2600
  - Architecture i586
Server Version Apache/2.2.4 (Win32) PHP/5.2.4
PHP Version 5.2.4

Made a new install of jts same result.

Checked my 1.12 distro pulled the original file (COPYRIGHT.php) and compared against sites;
fdfa824c7d8898fb8d85ef102a5c28fb site1
fdfa824c7d8898fb8d85ef102a5c28fb site2
fdfa824c7d8898fb8d85ef102a5c28fb distro

Then compared agains yours:
c2c9018965a56c2346d80684a21a3482 1.13
64ed8f3b25bebc286192333339a7796e 1.12
64ed8f3b25bebc286192333339a7796e 1.11

I know not many people use md5 checks especially on the window platform, that's
why I would like to mention the following link. MD5 easy as drag and drop:

http://portableapps.com/apps/utilities/ ... m_portable]

Hope this is detailed enough, any other question? I'll be glad to help a hand.

[RussW]

I'll test it, but not had any other reports of this type of problem, so it might not be a fast resolution.

Working on the component this weekend, will try and get to it during the week, if not before....

[edit] Sorry, a little confused here.......

  3) What Version of Joomla! are you running it against?    [edit] Beta1, RC1, RC2, RC3, SVN?

Joomla! :: Diagnostics for Joomla! 1.0.13

But you mention J! 11, 12 & 13 below that, are you having problems with all the distribution MD5's ?

[RussW]

@Epsylon

Have had a look at your French language file, and it is pretty interesting....

Although "grammtically incorrect" making the following changes has solved the issue, and I have packaged your new file in with the latest JTS-sa on JoomlaCode

define( '_VLIS_MESSAGE', 'Audit d\'extensions Joomla! par Russell Winter de JustJoomla!.' );
define( '_VLIS_MESSAGE', 'Audit d`extensions Joomla! par Russell Winter de JustJoomla!.' );

define( '_HISA_MESSAGE', 'Audit de la Sécurité, l\'Installation  et la Santé de Joomla! par Russell Winter de JustJoomla!' );
define( '_HISA_MESSAGE', 'Audit de la Sécurité, l`Installation  et la Santé de Joomla! par Russell Winter de JustJoomla!' );

Which all very strange, as the "  \' " work quite happily everywhere else, except for these two pop-up message definitions only, the JavaScript must not like the apostrophe for some reason, although it is escaped...

However, using a " ` " (back-tick) solves the issue, it is obviously grammatically incorrect, but visually will serve the same purpose, I hope you do not mind.

Thank you again for taking the to perform the translation, I appreciate how difficult and tine consuming such work is.

JTS-sa v1.0-3F with the new French translation can be found here.

[RussW]

Joomla! Tools Component v1.0.0-RC1 has been released to the FRS today....


  + Minor WebUI enhancements
  + Support for J! 1.5.0-RC3 added
  + WebSmurfs Joomla! Diagnostic embedded
      (Support for 1.0.11, 1.0.12, 1.0.13, 1.50-RC2 & 1.5.0-RC3 only. NO Beta, RC1,  Nightly Build or SVN support !)
  * Updated the Help and Contib Tabs


Still a few issues with Menu icons not showing up in 1.5.0 and 1.0.xx, either one or the other, haven't figured out a way around that.

[nyarnon]

But you mention J! 11, 12 & 13 below that, are you having problems with all the distribution MD5's ?

No just checking your sums. To add to your confusion I just drew a new 1.13 full install from the official code.org and gues what?

I come up with 56200b1a375af4ad6cae5455b36cdc6e as md5 checksum.

Now take in account the following.

Obviously f.i. COPYRIGHT.php changes in some distribution.

How will you disciminate between the versions when:

An update from 12 to 13 doesn't contain this file.

You cannot recognise a 13 that is actually an updated 12 and still has the 12
COPYRIGHT.php in it.


You might consider @version $Id: in the file:

But my 1.12 in my 1.13 has.
@version $Id: COPYRIGHT.php 1642 2006-01-04 01:20:09Z rhuk $

and the newly drawn 1.13 has.
@version $Id: COPYRIGHT.php 1644 2006-01-04 01:20:09Z rhuk $

AFAICT there is no reliable way to give a predefined checksum considering the
upgrade from 1.12 to 1.13 doesn't have all changed files and you have no way to
check if it is an upgraded 13 or a new install. This makes this part of the tool
pretty useless for existing sites unless you have it generate the checksums from
the distribution that was used to install that particular site. But then again it
should also provide an option to scan updates and incorporate them in the results.

Yup your right, gonna be a busy weekend figuring this baby out.

[RussW]

Your logic is 100%, oddly enough, I started using the version.php file to different the 1.5.0-RC releases correctly, might have to integrate the same in to the 1.0.x series, i will have to put a whiskey and some time in to that one.

initially the Tool Suite was aimed at new "troublesome" installations, so as you sau, it worked just fine, but doesn't fully take in to account upgrade sites where files haven't changed, the hash values are always based on the Full Distribution from JC. As the Tools Suite has grown, its use has changed somewhat, leading to this inconsistency.

However, as you also mention, the Tools suite does have the "Custom Hash" option, which allows you to checksum the site as it stands now, modifications, extensions, warts and all, which would cover this eventuality for any instance of Joomla! The standard hashes only support specific releases and only fresh installs from JC.

Thanks for taking the time to test a bit further and get back to me, I will look in to how better to manage upgraded sites in the future.

[nyarnon]

However, as you also mention, the Tools suite does have the "Custom Hash" option, which allows you to checksum the site as it stands now, modifications, extensions, warts and all, which would cover this eventuality for any instance of Joomla! The standard hashes only support specific releases and only fresh installs from JC.

I was afraid that you would say that. Consider my case. I came to this little tool by you answering a message where I reported a hacked site and the files involved. Now how useful is this tool if I use the custom hash option on a site that has already been hacked. What I really need, and with a bit of hacker is no real problem to me, is an option to get the hash from a chosen distribution and apply those. I do hope I express myself clear enough, English is not my native tongue.

Anyway you will probably have no choice and be forced to work in that direction considering all those distro's out there, like f.i. the dutch language distro that comes with a complete Joomla, that might in one way or the other differ considerable from the golden standard you are looking for. If you need any assistance let me know.

[RussW]

If you have idea's or thoughts on how to improve or extend JTS, we are always open to suggestions, it sounds as is you have quite some good experience.

[Epsylon]

Hello,

Here is an updated file, cause I couldn't perform any test before : corrected some typo and created the french version of read-me file...


Note : could you include the words Show/hide in the translationfiles, cause it's hidden somewhere in the php files and so I can"t translated it yet ...

EDIT : you can provide my Full name, Miles Charman, in the contributions section

[RussW]

Miles, you are an absolute super-star, thank you so much for taking the time to do this, I am sure that the French and French speaking Joomla! community will be more than happy.

I will update the Package as soon as possible, thank you again for helping to improve the Joomla! Tools Suite.

ps: I will also update your name, at the same time

[securitywonks]

Dear RussW

yesterday I had downloaded and tried Joomla Tools Suite,

checked my installation,

in one error that is reported, I found a misordering in the Reported LABEL name,

Session.save-path, this LABEL is written in wrong order in the error message, please correct it in your next updated release,

all the best with your product,

Cheers

[RussW]

@securitywonks

Thanks for the notification, will add it to the list for the next release....

[securitywonks]

thanks for the acknowledgement, RussW,

cheers

[RussW]

JTS-component RC2 Released

•  
• Added v1.0 Mambot / v1.5 Plugin Audit facility
   
• Some minor WebUI cleanup
   
• Superfluous code cleanup

Available from the JoomlaCode JTS Project site

[jaxstax]

My questions is about windows permissions- I see that while I have permissions warnings coming from the tools- I look in windows and I see I do not have the permissions indicated. In other words- my windows permissions seems to be correct when looking through the servers security properties. I also notice when I try to set permissions using FTP, the windows file system ignores what I have changed- any suggestions?

[RussW]

Windows permissions are not the same as Unix permissions in scheme or methodology......  Depending on how your server if configured is how these will be seen, mostly they will be seen as 777, if the webserver process is run as the files owner account,  which is common for Windows systems.  777 is eqivalent to UserName / Full Control  (or in poorly configured servers, Everyone / Full Control)

[jaxstax]

I am pretty conservative with permissions. Basically start from administrator, system, etc and then apply IUSR only when absolutely needed. I have seen conflicting documentation of what IUSR actually needs to write to- from what I can tell its /images, /media and that is about it...I run three components and its all patched. I got little spooked over xiam's posting in the security forum about being able to create admin accounts at will in base install 1.013...Thanks for answering me by the way- That is one less thing to worry about.

[aussiemike]

Hi
i installed the component today and am very happy with the results.

I have two question (and it may seem like stupid ones to you advanced Joomla users  ).

I get the following message for the following files:

/home/xxxxx/public_html/includes/Cache/Lite.php
/home/xxxxx/public_html/includes/domit/xml_domit_rss_shared.php
/home/xxxxx/public_html/includes/phpmailer/class.phpmailer.php

File does not contain _VALID_MOS OR _JEXEC

Is this a hole in the Joomla security and does it need to be patched?

My second question is; Does this package only check for security holes in the core components. Is there a way to check all the 3rd Party components and modules? (I know that's three questions really)

[RussW]

Hey Mike

The diagnostic only compares hashes against the core Joomla! files, nothing checked against Extensions - Sorry....

The three files you see without "_VALID_MOS" or "_JEXEC" are fine, you can add the lines yourself if you are concerned, but they are expected in these cases.

We have a few more idea's for features to come, so you never know, we might be able to find a way to support some of the third party extensions....

[aussiemike]

Thanks Russ
Much appreciated. I'll just have to be sure to only put the reputable ones on my sites and keep an eye out for security issues. Have been frustrated by MY Joomla sites but that is because of my lack of understanding. One day I will be good!

[Lipton]

After doing the Security Audit and changing Folder Permissions to almost anything (which I thought don´t need 777 anymore) I can´t login into my Admin anymore. Always getting pushed back to YOU NEED TO LOGIN.

I did not remove and write permissions from the Cache Folder, the Session Folder or in the Admin the Session folder. What was too much now changed that I can´t do login into my administration anymore.

PLEASE, I appreciate any tip !!!

Liptopn

[RussW]

The Admin session is controlled in PHP sessions, did you happen to set a local PHP session folder to unwritable ?

[topwebs]

Just installed the script on my development server (WAMP). Haven't explored it all, but just started with the Extensions Audit. Very nice overall. For some reason, certain extensions are listed multiple times:

• RD_Rss is listed 3 times
• Weblinks is listed twice
• Popular Items is listed twice
• JCE Editor Mambot is listed twice

There doesn't seem to be much consistency in whether unpublished extensions are listed or not. It also missed a number of both core and 3rd party extensions on my site. I'm not sure why this is so difficult to get right. You simple read off the extensions from the database tables for components, modules and mambots that are published. Then you go into the file structure and read the corresponding xml files.

As JCE is a very popular extension, it would be very nice if you could get the audit to list the multiple plugins that go with it. This is very hard to keep track of, as there are so many and they are frequently updated.

Thanks for your work on this script.