A Call To Arms - Beta Testers Needed!

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

A Call To Arms - Beta Testers Needed!

Post by jeffchannell » Sun Sep 19, 2010 7:31 pm

I've finally had enough people ask me about it, so I've started coding a Joomla firewall. It's really rough right now and isn't ready for prime time, and I'm hoping to enlist a few security-conscious people to help me test this thing out. Once finished, the client software will be available for free under the GPL.

There is no doubt in my mind that things could break as a result of this plugin, as it's currently a bit too aggressive. I'm not posting it here as I don't want any inexperienced users installing this on a live site until I'm fairly sure it's ready.

Anyways, to all interested - PM me your email, and I'll send a copy your way.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

ascwash
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sun Sep 19, 2010 10:42 pm

Re: A Call To Arms - Beta Testers Needed!

Post by ascwash » Sun Sep 19, 2010 11:00 pm

Whats wrong with http://www.rsjoomla.com/

I assume you creating a non-commercial extension.

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by jeffchannell » Sun Sep 19, 2010 11:12 pm

ascwash wrote:Whats wrong with http://www.rsjoomla.com/

I assume you creating a non-commercial extension.
I'm not sure how their offering works, but mine is thus far quite aggressive, neutering any suspicious request immediately... whereas RSJoomla's firewall extension was actively running on their demo site when I found this: http://www.exploit-db.com/exploits/13935/

As for the extension, there may be a commercial offering in the way of services (don't want to reveal too much yet though), but the core security offering will be free, both beer AND libre.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by jeffchannell » Tue Oct 05, 2010 3:42 am

Okay folks, I've gone ahead and launched this to the wild:

http://extensions.joomla.org/extensions ... tion/14265

There's still a whole lot to be done, I'll admit - but I think it's going to work rather well, as long as I can get a bit of a community behind it. :)
Last edited by mandville on Tue Oct 05, 2010 1:33 pm, edited 1 time in total.
Reason: url changed to JED link
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A Call To Arms - Beta Testers Needed!

Post by mandville » Tue Oct 05, 2010 1:35 pm

extension is not for production sites, and as such has been suspended from JED.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
imscoop22
Joomla! Explorer
Joomla! Explorer
Posts: 255
Joined: Sat Mar 10, 2007 9:09 pm

Re: A Call To Arms - Beta Testers Needed!

Post by imscoop22 » Thu Oct 07, 2010 11:00 pm

@mandville

Is that a new rule?

Seems not to make much sense. All a developer needs to do is not call an extension an Alpha version and it gets through. Also, Joomla! Alpha releases are published, so why shouldn't the same standard apply to third party extensions?

The best approach, IMHO, would be to encourage developers to choose an appropriate versioning standard, stick to it, and communicate it clearly to potential users.

BTW, Joomla! 1.6 is *not* for production sites either. Not even "official" sites, if the project plays by it's own rules...
<><

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A Call To Arms - Beta Testers Needed!

Post by mandville » Fri Oct 08, 2010 2:52 am

just to say that i didnt unpublish it, just saying to save people going there and reporting the fact. i have personally asked the question and am waiting for the answer (as jeffchannell knows).
the linking to the JED and not personal dev sites is a new/clearer defined rule though.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by jeffchannell » Fri Oct 08, 2010 7:32 am

http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
tresan
Joomla! Ace
Joomla! Ace
Posts: 1010
Joined: Thu Feb 09, 2006 3:00 pm
Location: Odense - DK
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by tresan » Fri Oct 08, 2010 7:54 am

Jeff does a tons of work and take part on the Joomla IRC channels every single day and are always trying to help others and he does a ton of work in working with security and help people avoid problems that gets them hacked or exploited.

He is with out a doubt one of the most talented and skillfull people on IRC in terms of security issues and handling for Joomla and some of us have been looking forward to seeing his component go live - so i must admit after hearing about it for months and him trying to improve it to make it as good as possible it does seems extremely strange that it was unpublished on JED after going live for beeing an alpha - is that a new rule?

I think someone made a mistake - and needs to correct it ;)
Ronni K. G. Christiansen (@redwebdk)
http://www.redcomponent.com/ - One big family of Joomla extentions & templates
http://redweb.dk - Joomla Webdesign & Development
redHOST.dk - 100% Joomla Webhotel - Dansk support med Joomla viden!

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by jeffchannell » Fri Oct 08, 2010 7:57 am

Thanks for the kind words, tresan - you know I've been dreaming this thing up for a while!

Also, here's a few more that need to be removed under this "new rule":

http://extensions.joomla.org/extensions ... rted/11095 - "should not be used on production sites"
http://extensions.joomla.org/extensions ... splay/8438 - 0.1.1, listed as alpha
http://extensions.joomla.org/extensions ... lbars/8691 - 0.9.3, "pilot project (not yet meant for a live site)"
http://extensions.joomla.org/extensions ... ment/11673 - 0.7, "Please do not use on a Production site"
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by jeffchannell » Fri Oct 08, 2010 8:09 am

Here's another one - the JED team should take a few minutes and read their own terms of service - http://extensions.joomla.org/tos

NOWHERE does it state that alpha/not-production-ready extensions are not allowed. If you ask me, this was done deliberately and with malicious intent because I dropped out of the JED team for refusing to cease publishing vulnerabilities that I myself found and reported.

That's right folks - I was in the running to BE on the JED team, and now someone has their panties in a bunch because I refused to be put in a position where I required permission from others to openly publish or discuss security issues.

And to set the record straight - when I said I wanted to know who unpublished this, it was meant to be rhetorical. I think I have a pretty good idea of who it was and why.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
imscoop22
Joomla! Explorer
Joomla! Explorer
Posts: 255
Joined: Sat Mar 10, 2007 9:09 pm

Re: A Call To Arms - Beta Testers Needed!

Post by imscoop22 » Fri Oct 08, 2010 12:28 pm

@mandville

Thanks for the clarification. I was aware of the new JED linking rule...though I have a definite opionion on this, I'll refrain from discussing as it's off topic of the original post.

I'm still don't see how the new rule relates to your statement: "extension is not for production sites" - Where did that come from?

@jeffchannell

Nice Work and thanks for developing and sharing the extension.
<><

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A Call To Arms - Beta Testers Needed!

Post by mandville » Fri Oct 08, 2010 2:56 pm

imscoop22 wrote:@mandville
I'm still don't see how the new rule relates to your statement: "extension is not for production sites" - Where did that come from?
from the JED
This extension has been unpublished for the following reason: ALPHA - NOT FOR USE ON PRODUCTION SITES
edit to add:
i advise Jeff to contact the Jed leaders, and Jeff is already aware of my thoughts and actions on this issue.
You do not have the required permissions to view the files attached to this post.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by jeffchannell » Fri Oct 08, 2010 3:22 pm

This is absolutely sickening that my posts AND those supportive of me are being deleted.

Some bloody community...
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
mlipscomb
Joomla! Ace
Joomla! Ace
Posts: 1271
Joined: Thu Mar 26, 2009 5:38 pm
Location: Gadsden, AL
Contact:

Re: A Call To Arms - Beta Testers Needed!

Post by mlipscomb » Fri Oct 08, 2010 5:43 pm

This extension has been republished. The editor's note (that you requested, Jeff) is applied.
http://extensions.joomla.org/extensions ... tion/14265
~Matt Lipscomb
http://www.USAFreelancers.org
Professional Joomla! Services and Web Development based in the USA

anotheruser
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 172
Joined: Fri Oct 10, 2008 1:45 am

Re: A Call To Arms - Beta Testers Needed!

Post by anotheruser » Sat Oct 09, 2010 7:37 am

jeffchannell wrote: Some bloody community...
On the whole the community is great, but on issues such as this there does seem to be a certain whiff of something unpleasant.
mlipscomb wrote:This extension has been republished. The editor's note (that you requested, Jeff) is applied.
http://extensions.joomla.org/extensions ... tion/14265
Well Jeff looks like it turned out nice again as George Formby would say.

IMHO your project will be highly valued among the community once it goes stable if not before. Thanks for putting the time in too prove your concept, and opening it up to the community at large. It's actions like this and the genuine support, that makes the community great!

<moderator deleted>


Locked

Return to “Security in Joomla! 1.5”