[34]Official Joomla security scanner

Locked
sp1ke77
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Aug 11, 2006 5:00 am

[34]Official Joomla security scanner

Post by sp1ke77 » Sun Feb 17, 2008 6:51 am

I see that some folks have done scripts that read files in joomla, looking for security flaws.

Wouldnt be nice to have that included in a default joomla installation, that would warn us at admin login that, for example, some files have dangerous permissions set (777) or that some files dont have the "MOS_VALID or DIE" line, or even other basic security flaws?

I know these things are easily said than done, but i've seen others do it... Why cant joomla take security in CMS's the next level?

Thank You

User avatar
willebil
Joomla! Guru
Joomla! Guru
Posts: 762
Joined: Thu Aug 18, 2005 12:06 pm
Location: Netherlands

Re: Official Joomla security scanner

Post by willebil » Sun Feb 17, 2008 8:29 pm

The idea is interesting, but for a white paper we would like to see more details on this proposa, please read http://forum.joomla.org/viewtopic.php?f=500&t=265654 and correct add some missing details to this proposal.

Geoff
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3173
Joined: Sun Apr 16, 2006 12:20 am
Location: 127.0.0.1

Re: Official Joomla security scanner

Post by Geoff » Mon Feb 18, 2008 2:10 am

Wouldnt be nice to have that included in a default joomla installation, that would warn us at admin login that, for example, some files have dangerous permissions set (777) or that some files dont have the "MOS_VALID or DIE" line, or even other basic security flaws?
Core files shouldn't have that problem, it's generally 3rd party extensions.

As for the rest, I'd like to point out that J! JTS & HISA (http://extensions.joomla.org/component/ ... Itemid,35/) by RussW is currently available. Going along with sp1ke77's idea, something like that integrated directly into the administrative backend would be useful.

This idea seems to be related to the white paper on Installation System Check Improvements (http://forum.joomla.org/viewtopic.php?f=500&t=266084).
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess

sp1ke77
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Aug 11, 2006 5:00 am

Re: Official Joomla security scanner

Post by sp1ke77 » Mon Feb 18, 2008 8:35 pm

Cool... i like it...

At installation, 3rd party components would be "scanned" to check for basic security flaws. That way secutiry would be increased cause the flawed component wouldnt install, unless the basic requirements for security were fullfilled.

Scanning at Installation System Check would reduce hacking possibilities. And a permission scanner and advisor as a "core" component could help many folks out there.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: Official Joomla security scanner

Post by brad » Mon Feb 18, 2008 8:39 pm

Just a note on this.. most reputably providers are running Apache as a cgi, so 777 file permissions are a thing of the past, as are file ownership problems.

sp1ke77
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Aug 11, 2006 5:00 am

Re: Official Joomla security scanner

Post by sp1ke77 » Mon Feb 18, 2008 10:13 pm

Thats good to hear, but what about "all the others"?

I checked out JTS ( http://joomlacode.org/gf/project/jts ) and what its awesome!!!
Imagine JTS as a core component of joomla... A lot of problems could be easily avoided.

merill
Joomla! Intern
Joomla! Intern
Posts: 62
Joined: Sun Apr 20, 2008 9:44 pm

Re: [34]Official Joomla security scanner

Post by merill » Wed Jun 04, 2008 10:05 pm

sp1ke77 proposal that
At installation, 3rd party components would be "scanned" to check for basic security flaws. That way secutiry would be increased cause the flawed component wouldnt install, unless the basic requirements for security were fullfilled.
should not be imposed. The user should receive a security advisory and be left the final decision about to abort the install or go on with it.

oniell
Joomla! Intern
Joomla! Intern
Posts: 68
Joined: Tue Feb 27, 2007 5:23 am

Re: [34]Official Joomla security scanner

Post by oniell » Tue Dec 02, 2008 3:11 am

merill wrote:sp1ke77 proposal that
At installation, 3rd party components would be "scanned" to check for basic security flaws. That way security would be increased cause the flawed component wouldn't install, unless the basic requirements for security were fulfilled.
should not be imposed. The user should receive a security advisory and be left the final decision about to abort the install or go on with it.
I agree, not allowing it to install is too much. However, a advisory giving the information should be in place if something like this were to be implemented. Perhaps something giving the file references for the first few and then creating a simple report that is stored in a directory.


Locked

Return to “Accepted - Archived”