The Joomla! Forum ™

Download

Demo


Board index » Joomla! Official Sites & Infrastructure » Sites & Infrastructure - Feedback/Information » Archived Boards - All boards closed » FAQ Archive



Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Print view Previous topic | Next topic 
Author Message
rliskey
PostPosted: Sat Sep 23, 2006 8:46 pm 
User avatar
Joomla! Guru
Joomla! Guru
Offline

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
Although the Joomla! core is secure when configured correctly, third party extensions come in all flavors of age and quality. Unless you absolutely trust the extension developer, always review the code should before installing. The following is a list of typical areas of concern.

1. How complex is the extension? The larger it is, the more likely it is to have problems, and the more carefully you should review it. If you can't tell what it's doing, you should not trust it.

2. Does the extension read or write files to your server? Programs that read files may inadvertently violate access restrictions you've set up, or pass sensitive system information to crackers. Programs that write files have the potential to modify or damage existing files, or introduce trojan horses.

3. Does the extension interact with other programs on your system? For example, many extensions send e-mail in response to a form input by opening a connection with the sendmail program. Is it doing this in a safe way?

4. Does the extension run with suid (set-user-id) privileges? In general this is very dangerous; extensions need an excellent reasons for doing this.

5. Does the extension validate all user input, such as in form fields and in the URL?

6. Does the extension use explicit path names when invoking external programs? Relying on the PATH environment variable to resolve partial path names is a dangerous practice.

7. Is the extension secure against direct access throught the URL? For example:
Code:
www.yoursite.com/components/com_bad_extension.php?lots_of_bad_code_here


8. Is the extension secure against remote file inclusions?

9. Is the extension secure against SQL injections?

10. Is the extension secure against Cross Site Scripting (XSS)?

11. Does the extension need PHP register_globals ON, or Joomla! RG Emulation ON? If so, then it is probably violating number 7 above.

12. Does the extension provide higher database access to less privileged users? For example does it allow guests or registered users to view data that only publishers or administrators should be able to see?

For details on items 7 through 12, see this great post by friesengeist:
http://forum.joomla.org/index.php/topic,78781.0.html

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Last edited by rliskey on Fri Oct 27, 2006 6:47 am, edited 1 time in total.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 


Board index » Joomla! Official Sites & Infrastructure » Sites & Infrastructure - Feedback/Information » Archived Boards - All boards closed » FAQ Archive

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group