The Joomla! Forum ™

This is a continuation of items raised in this thread:
http://forum.joomla.org/viewtopic.php?f=199&t=243392&st=0&sk=t&sd=a&start=60

Confirmed:
When (RHEL5) WHM compiles Apache 2.2 & Php5.2.5 with Suexec, mod_security & suhosin, the flash uploader fails. It seems the session expires and the user is required to re-login with the Admin Login screen.

Hopefully, raising this issue helps the real brainies sort things out

Hmmm. Maybe I had high hopes here.

I thought someone would respond to this thread seeing as how there are lots of users (and several who have reported problems with this) affected here.

Is there a spot for Hosting Providers where Joomla! recommends a particular compilation of apache, php, mysql? I'm not trying to be pushy, but it might help out those of us who run WHM or something similar where the auto-compiler spits out a package.

For example:
Joomla recommends compiling Apache 2.2 with Php5.2.5 with the following modules, (etc.).

Obviously, I'm just hoping someone can shed light on what compilation they're running that complements suhosin so I can run the flash uploader and still have the most secure server I can.

IMO it is a known fact that some servers settings are not compatible with the flash uploader and this is why has been introduced in 1.5.2 or 1.5.3 a way to overcome this limitation.

I guess this topic should go in Q&T.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group

Same problems here with the flash uploader.

Mod Note: Topic moved to Joomla! Q&T

_________________
Robert Dam - Joomla Forum Moderator
Dutch Boards | Joomla Coding Boards | English Support Boards

Thanks for chiming in, fellows.

Since suhosin is widely acclaimed across the web, does anyone running Joomla have it working with this recognized security mod?

Note: I recompiled WHM's apache/php setup several times last night trying various combinations of apache versions and php. None of these versions interrupted the Flash Uploader session unless suhosin was enabled. It seems clear that this mod is killing the session with Flash Uploader.

I know sometimes posts can get lost in the shuffle, but I think this is a pretty important one - even got a Mod's attention.

So, considering Brad's recent call to hosting providers to provide solid security (which I agree with whole-heartedly), why is it that a core Joomla element (Flash Uploader) conflicts with suhosin? I'm not trying to raise a fire here - really. I'd just like someone to tell me why this isn't a big deal and then I'll be quiet.

Cheers, all.

2 things. First off, the flash uploader obeys standards. If suhosin breaks the uploader, it must not be following spec (the usual problem comes with the miss-handling of a Expect-Continue header).

2ndly, you don't want my opinion on suhosin... You don't need it. Get a VPS, and be better off..

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

Now this is the kind of response I was hoping for. Direct and from a core member. I don't know the ins and outs of suhosin - I just wanted someone who does to provide direction.

I don't think they come much more knowledgeable than ircm.

Thanks for the reply.

I am not happy with ircmaxell's answer and the ignorance given for suhosin. Yes, VPS is good but VPS+suhosin are better.

It's pretty simple to get the flash uploader work with suhosin activated. Locate the file suhosin.ini (if it exists) or php.ini and add this inside:

suhosin.session.encrypt = Off

Restart the server and buy me a coffee. By default, suhosin transparently encrypts sessions and cookies. Later suhosin transparently decrypts every session, if the decrypted session is not valid then suhosin will generate a new one. As I understood, this is what happens when uploading through the fancy uploader because it's passing the original session and not the encrypted one. If you can live without session encryption (I think it's acceptable) then this is your solution.

In the next release of Joomla it would be nice to have a warning message if suhosin is present, this has been done in phpmyadmin. I imagine this during install (when Joomla is checking other PHP settings) and in the System Info menu.

_________________
Signature Rules: viewtopic.php?t=65

Let me ask this. If what suhosin does is so good, why isn't in the php core? And since when is it up to a programing language to be secure? It's up to the programmers...

It's not that transparent I guess, is it?

What do you propose the warning message say? That suhosin breaks Joomla (cause it's not the other way around)...

I have yet to find an ACTUAL security expert tell me one thing that suhosin does that's actually necessary (nor do I find ANYTHING that it does to be necessary). Why should I put security down to "suhosin", when I can just take care of the security myself (as the developer)? If it's that needed, why don't we see suhosin versions of C++ or Perl or Python or Ruby? Because what it does is NOT THE JOB of the programming language!!!

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

I'm a hosting company, I want to protect my server and my users. I don't care about their code but I don't trust their code. Not all of my users are php experts and aware of every pitfall. It's up to the programmers...yes, in case they are good and in case they run their stuff on their own servers.


Say that it will break your Joomla and don't come into the forum to bug people with silly question. It can also provide helpful information what to do IF you have suhosin. See phpmyadmin.


Because you never read the feature list. I compare this to the debate "Why do I need snort, I have a firewall!" Nothing is necessary until it will get absolutely totally definitely necessary. On the other hand, is it necessary to have a Porsche Cayenne Turbo to go shopping...sure not, but for some people it's indispensable. For me, suhosin is indispensable.


No, you should never put security down to anything. But some additional security isn't that bad. Hackers are smart guys because they find flaws in the god-like developer's ah-so perfect code.


Why you don't use any I don't know, seems you don't care about buffer overflows. C provides no built-in compile-time security checking. As to me I use PaX hardened code and SELinux as countermeasure. And since PHP is C compiled code, I don't trust it either and it won't keep me from using run-time security checking.

But...maybe I'm wrong. After all, we're living in a perfect world and hackers are becoming extinct, don't they?

_________________
Signature Rules: viewtopic.php?t=65

I have the same point of view. ;-)
Nobody should turn down exrta security ... you never know when you might need it.

Nobody should turn down extra security.... Until it grinds your server to a halt with capacity decreases, and breaks every powerful thing that a developer can do. There's always a cost. And in my opinion, what suhosin provides is absolutely not worth the costs...

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

"And in my opinion, what suhosin provides is absolutely not worth the costs..."

You seem to be in need of a holiday.

You represent Joomla Core team, and yet, while giving a 'non-answer' to the OP you have to argue with the guy who gave the correct answer, and throw in a couple of insults to boot.

Nice.

[OT]
Oh my god, I can't believe that these words come out of a core developer. Don't get me wrong but it was SUHOSIN which protected some of my and my customers joomla sites from beeing hacked. One was Joomla 1.0.6 (I think) and the second 1.5.6 (it is not that old, isn't it?). Also it protects Joomla users from 3rd party programming errors. It protects against generic attacks such as sql-injections, RFI, etc. That means even if the security hole is there it can NOT be exploited. A good thing imho and I do not even think to disable security layers to get a flash uploader working.

Sorry but in such a big project you can not guarantee to be fail save - we all saw that in the past and in future more will come. That's why there are some other security layers around - for a good reason. I personally would also accept a > 20% performance loss if I get more security. Btw. suhosin is much faster than mod_security which I also use. See http://www.hardened-php.net/suhosin/benchmark.html

. Do you know what suhosin really does? (http://www.suhosin.org)

. If php-devs do not integrate it does not mean that it is useless. Why does RedHat or Ubuntu integrate it by default? Stefan Esser (the suhosin dev) wanted to make PHP more secure but he left the core team because they had no ear for the security holes and fixes he detected and provided.

. Why didn't you contact the suhosin dev to get the bug or to clarify if it was a suhosin or flash-updloader error?

... ok I give up and hope that core devs really take care about security and are able to change their point of view - or at least let us know arguments why they have another point of view
[/OT]

I remember that we already had this problem with 1.5.2 or something similar. That is why you now can switch off the flash uploader under SITE -> Configuration -> System (at the bottom). The other good thing is that somebody got the flashuploader working with suhosin enabled. But now it seems to be broken again. Maybe there is still some problem in the code?
See: viewtopic.php?f=199&t=243392&st=0&sk=t&sd=a

In another post someone says it does only not work with Flash Player 10? How comes that? See: viewtopic.php?f=428&t=337471&hilit=off+flash+uploader

Questions over questions. But I am happy that it is at least possible to switch off the flash-uploader.

edit: error corrections
edit2: RFC->RFI

I'd like to make a couple of points, if that's okay.

I don't know anything about suhosin so I'm not going to join in the debate about it's merits. I am going to remind everyone nicely that, yes, even Joomla! Core Team members are entitled to their own opinion. Let's respect one another's differences of opinion. It's okay to think differently on this.

The more important point I want to make is about how free software projects work. I'll use IIS as an example so no one takes this personally. Apache works great with Joomla!. We have a large group of volunteers who use it and test with it and understand it. There is a smaller set of users who use IIS.

Now, when issues arise that impact IIS, people who have access to and use and understand IIS are needed to identify and fix those bugs. There is no "Joomla! staff" that works on all of this technology to ensure compatibility. It's just us users and volunteers who contribute solutions for software we use that is then available for the broader community.

The same is true of Suhosin or anything else. The community of users who wish to use that capability, who have access to and knowledge of that software, must bring solutions in that area. Patches needed to get it working will be considered.

That's how it works and, after 25 years in the IT field, I am here to say it works remarkably well. Some call it the "wisdom of crowds." So, rather than debate the merits of this software, if you are having trouble using it with Joomla!, focus in on identifying those bugs and fixing them together. That is what will enable it's use for you.

Thanks for considering.
Amy

_________________
http://Twitter.com/AmyStephen
http://www.alltogetherasawhole.org/

Hi Amy,

I partly agree with you. The problem is not the flash-uploader or suhosin. The problem is the one layer security approach.

Please correct me if I and some other paranoid Joomla hosters and admins are wrong: afaik the leader of the security team tells us that the onion approach of security layers is wrong and we should all rely on the developer skills/programming quality?

I'm not a security expert at all but I know that the best programmers and rock-solid software has bugs which can be exploited (see BugTraq etc). That is why I use grsecurity, pax, ssp and other layers for the linux server and suexec, mod_secuirty, suhosin as security layers for php applications. What is more - if there is a bug in core php the best php written software can not protect you against exploitation (e.g. basedir/safemode vulns, memory corruption, ...). Suhosin and other onion like security layers may protect servers from beeing hacked - that is imho the sense of this approach. Even these layers don't protect your server from beeing hacked - but I hope that we all agree that multiple security layers are much more secure then relying on web app security and programming skills alone.

Sorry if this sounds offensive but I still hope that I misunderstood this security approach. I agree that the code should be as rock solid as possible but there should also be space left to protect the environment around Joomla without breaking it.

The problem comes in not having layers, but WHAT those layers do.

Did I say not to use a firewall? Did I say not to use a chroot jail? Did I say not to use selinux?

No.

What I said was I don't see that the "benefits" of suhosin are worth the negatives to it... There are things that can be done, but I see the path that suhosin has taken as to be much more obscurity than security... It's a good feeling, and makes you feel protected, but in reality doesn't offer up much protection (if any at all). It's the same way with mod_security... It feels good, but what is it really doing?

One BIG reason I don't condone their use, is I see a lot of people slacking on upgrades because "Oh, I have (Insert today's security fad) installed, I'm protected". That is a MUCH bigger problem IMHO...

Again, my $0.02...

_________________
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

ndee_at -

Thanks for your response! I wouldn't tell you that you were "wrong", though, since "those are fighting words" and probably not very productive for a technical discussion. Your summary, though, that Anthony doesn't see value in layers of security was not my read, at all, I think that might have been a bit encompassing.

My take on this conversation is that there is a cost to each additional layer of software added and that it is the opinion of Anthony that this particular layer is not worth that cost since there are better ways, in his view, of securing an environment. If understanding his point of view helps you, great! If you don't agree, that's cool, too.

The fact that Anthony is the Security Czar for Joomla! only matters for this discussion if his opinion on the topic prevents your choice to deploy security for your needs. I do not see that as the case. His opinion does not limit you in the slightest.

Joomla! does not do all things for all people. But, it is free, as in liberty, and we are welcome to continue enhancing it (reference my IIS point, earlier.)

Sometimes, these discussions get a lot of heat but very little traction. There is obvious experience and skill here. Try to hear what is others are saying. I will tell you from working closely with Anthony this past year - the dude is smart. He's that kind of smart that can be pretty freaking spooky, even. So, learn something - or - at least enjoy the debate - otherwise, it's just time wasting.

Have fun with Joomla! - it's great to have you all in the community,
Amy

_________________
http://Twitter.com/AmyStephen
http://www.alltogetherasawhole.org/

You are right, I interpreted your words too much. Let us focus on the layers around applications.


Which negatives despite the fact that flash-uploader problems. Please refer to specific disadvantages of suhosin.


Ok. Maybe you can accept another point of view. Joomla! has become very popular. Most users download Joomla! install a template and add content and that's it. If they do not work with Joomla! the version is not updated and it is a matter of time...

.. until they get hacked and cry in the forums.

My point of view is that if they host their projects on my server I can protect my server and my users applications against automated exploits in unpatched apps with suhosin and mod_security. Reality is that users do not update their apps if they do not need new functionality or got hacked or have other issues with the current version. I don't have a research at hand but the number of users who update their software (os, apps, webapps) is likely to be less than 10%. These users do not care or do not even know suhosin or mod_security. That's why I think suhosin or mod_security is mostly used by security aware people who frequently update all their webapps.

Scenario: A new critical vuln is found in Joomla!. A fix is released. Hosters may notice the new release within 1-2 days. But if users do not use joomla.org or other joomla sites frequently it will last some days or weeks until they notice that a new version is around. A few days after the release automated exploit scripts are distributed all over the internet and it is a matter of hours until the first vulnerable installations gets exploited. Users or even admins need at least some days to patch their installations - maybe this is already too late.

That is the reason why imho other security layers are important. They prevent vulnerable apps from beeing hacked until the patch is deployed.

The other problem is that admins and hosters of multiple Joomla! installations are not able or allowed to patch their customers Joomla! installs without a service contract or something else. Another reason why a security layer on top of webapps makes sense. What do you think?

Maybe a update notification will make people aware of updates faster will increase the patch deployment and will be a first step - but it will never solve the issue with the time between release of the new version and the time it takes to get that information and patch the install. Therefore an umbrella on top of webapps makes sense and patching should take place asap. But as said before users who do not update their installs are not security aware at all and even do not know what suhosin or something similar is.

English is not my first language - sorry if I do not take the right words to sound less offensive.

Hi Everyone,

This issue has been giving me a headache for 2 days now, I am happy to have found the main problem....

Now if you could just please disregard the argument about whether or not extra security features are needed on a server (which I think it is), does anyone have an idea if its possible to pass the encrypted session to the flash file?

It would be soooo nice... I have looking at the code for hours now, and am still clueless about this

cheers

Hi,

the problem has nothing todo with session encryption. The problem is the proprietary flash player 10. You will have to deactivate the flash uploader in config
as written some posts above.

I can't resist: imho a open source project should not rely on proprietary 3rd party products anyway. It was a good step to deactivate the flash uploader by default (as done in J! 1.5.8). Maybe it should be a optional plugin in future.

Greets,
ndee

this is my exact same problem....
with flash 10 and ff3 the flash uploader does not work at all...
while with flash 9 it looks as if it uploads, but it does not, breaks the code and gives me the admin login in the media manager...

it is confirmed with fancyupload that this can be a problem... if not the session encrypted by suhosin, then something else is causing an error, and I dont like errors on my sites....
so of course, I can turn off the flash upload in config (both J1.5.8 and other 3rd party products that use it), but I do not want to

This issue can be solved, and will be solved eventually... I am aware that most of Joomla users do not have programming skills to start debugging a very difficult one like this, so it might be convenient to say "turn it off" - I am not buying it.

So if anyone has ideas on this, let me know.
Otherwise I'll be posting solution here as soon as I have it.

Cheers

Hi ambrozy,

what you mentioned with admin login seems to be related indeed. I had the same issues with < J! 1.5.2 but this was fixed by some Joomla developer. If this 3rd party dependency had never been introduced or activated - nobody would cry about problems with suhosin or flashplayer.

I thought you only have the flashplayer 10 issue, my fault. I agree with you that this should be fixed by the flash-uploader maintainer. Unfortunately it is a core functionality which was introduced some time ago. To foist responsibility to suhosin or adobe is not the right way now.

EDIT: By the way you can disable session encryption with suhosin config.