I see that some folks have done scripts that read files in joomla, looking for security flaws.
Wouldnt be nice to have that included in a default joomla installation, that would warn us at admin login that, for example, some files have dangerous permissions set (777) or that some files dont have the "MOS_VALID or DIE" line, or even other basic security flaws?
I know these things are easily said than done, but i've seen others do it... Why cant joomla take security in CMS's the next level?
Thank You
[34]Official Joomla security scanner
-
- Joomla! Apprentice
- Posts: 11
- Joined: Fri Aug 11, 2006 5:00 am
- willebil
- Joomla! Guru
- Posts: 762
- Joined: Thu Aug 18, 2005 12:06 pm
- Location: Netherlands
Re: Official Joomla security scanner
The idea is interesting, but for a white paper we would like to see more details on this proposa, please read http://forum.joomla.org/viewtopic.php?f=500&t=265654 and correct add some missing details to this proposal.
-
- Joomla! Virtuoso
- Posts: 3173
- Joined: Sun Apr 16, 2006 12:20 am
- Location: 127.0.0.1
Re: Official Joomla security scanner
Core files shouldn't have that problem, it's generally 3rd party extensions.Wouldnt be nice to have that included in a default joomla installation, that would warn us at admin login that, for example, some files have dangerous permissions set (777) or that some files dont have the "MOS_VALID or DIE" line, or even other basic security flaws?
As for the rest, I'd like to point out that J! JTS & HISA (http://extensions.joomla.org/component/ ... Itemid,35/) by RussW is currently available. Going along with sp1ke77's idea, something like that integrated directly into the administrative backend would be useful.
This idea seems to be related to the white paper on Installation System Check Improvements (http://forum.joomla.org/viewtopic.php?f=500&t=266084).
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess
-
- Joomla! Apprentice
- Posts: 11
- Joined: Fri Aug 11, 2006 5:00 am
Re: Official Joomla security scanner
Cool... i like it...
At installation, 3rd party components would be "scanned" to check for basic security flaws. That way secutiry would be increased cause the flawed component wouldnt install, unless the basic requirements for security were fullfilled.
Scanning at Installation System Check would reduce hacking possibilities. And a permission scanner and advisor as a "core" component could help many folks out there.
At installation, 3rd party components would be "scanned" to check for basic security flaws. That way secutiry would be increased cause the flawed component wouldnt install, unless the basic requirements for security were fullfilled.
Scanning at Installation System Check would reduce hacking possibilities. And a permission scanner and advisor as a "core" component could help many folks out there.
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
Re: Official Joomla security scanner
Just a note on this.. most reputably providers are running Apache as a cgi, so 777 file permissions are a thing of the past, as are file ownership problems.
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
-
- Joomla! Apprentice
- Posts: 11
- Joined: Fri Aug 11, 2006 5:00 am
Re: Official Joomla security scanner
Thats good to hear, but what about "all the others"?
I checked out JTS ( http://joomlacode.org/gf/project/jts ) and what its awesome!!!
Imagine JTS as a core component of joomla... A lot of problems could be easily avoided.
I checked out JTS ( http://joomlacode.org/gf/project/jts ) and what its awesome!!!
Imagine JTS as a core component of joomla... A lot of problems could be easily avoided.
-
- Joomla! Intern
- Posts: 62
- Joined: Sun Apr 20, 2008 9:44 pm
Re: [34]Official Joomla security scanner
sp1ke77 proposal that
should not be imposed. The user should receive a security advisory and be left the final decision about to abort the install or go on with it.At installation, 3rd party components would be "scanned" to check for basic security flaws. That way secutiry would be increased cause the flawed component wouldnt install, unless the basic requirements for security were fullfilled.
-
- Joomla! Intern
- Posts: 68
- Joined: Tue Feb 27, 2007 5:23 am
Re: [34]Official Joomla security scanner
I agree, not allowing it to install is too much. However, a advisory giving the information should be in place if something like this were to be implemented. Perhaps something giving the file references for the first few and then creating a simple report that is stored in a directory.merill wrote:sp1ke77 proposal that
should not be imposed. The user should receive a security advisory and be left the final decision about to abort the install or go on with it.At installation, 3rd party components would be "scanned" to check for basic security flaws. That way security would be increased cause the flawed component wouldn't install, unless the basic requirements for security were fulfilled.