Sorry but that is just not true. Any good ISP will have set up their sharedhosting system in an environment that prevents other users accessing your files. Shell access is not required. Or did you mean that shell access was required to test for this?f you're using a shared hosting provider, be sure other users on your server can't access your site's files. Usually a shell account is required for this level of access.
Advertisement
Discussion for: Joomla Administrator's Security Checklist
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- brian
- Joomla! Master
- Posts: 12813
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Discussion for: Joomla Administrator's Security Checklist
Last edited by RobS on Tue Aug 01, 2006 6:12 pm, edited 1 time in total.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Advertisement
- brian
- Joomla! Master
- Posts: 12813
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Joomla Administrator's Security Checklist Discussion
Never rely on anyone else for backup. Take responsibilty for your own database and ensure that YOU keep it backed up.rliskey wrote:
Be sure you know your ISP's backup procedures. Test the backup process before you really need it by requesting a specific file from the previous day.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Joomla Administrator's Security Checklist Discussion
I believe he meant that a shell was usually required to test this. While a shell makes this easier it is not necessary to test it. Though, I won't get into how to get around that.brian wrote:Sorry but that is just not true. Any good ISP will have set up their sharedhosting system in an environment that prevents other users accessing your files. Shell access is not required. Or did you mean that shell access was required to test for this?f you're using a shared hosting provider, be sure other users on your server can't access your site's files. Usually a shell account is required for this level of access.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- brian
- Joomla! Master
- Posts: 12813
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Joomla Administrator's Security Checklist Discussion
i thought he might. i just dont want to see people thinking that they need shell access
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Joomla Administrator's Security Checklist Discussion
That's right, I only meant that using your own shell account is an easy way to check what users at your level can do with their shell accounts. Personally, I'd feel blind without shell account, but maybe "required" is too strong a word. If you don't have shell access, aren't you pretty much stuck with FTP for moving and renaming files, and for setting file permissions?
- crash777
- Joomla! Explorer
- Posts: 334
- Joined: Sat Sep 03, 2005 1:56 am
- Location: Upstate New York
Joomla Administrator's Security Checklist Discussion
VPS' have a file manager.. moving files, uploading and downloading can be done as well as editing some files..rliskey wrote: That's right, I only meant that using your own shell account is an easy way to check what users at your level can do with their shell accounts. Personally, I'd feel blind without shell account, but maybe "required" is too strong a word. If you don't have shell access, aren't you pretty much stuck with FTP for moving and renaming files, and for setting file permissions?
I also do not provide shell access unless my client has a specific need for it.
A step back, however... what is the setting that prevents users from accessing files not in their own account?
Thanks!
Aaron
Aaron
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Joomla Administrator's Security Checklist Discussion
I didn't consider VPS management. That's a BIG, interesting subject that I think would have to go in a *NIX administrators topic. I was limiting this to basic Joomla! installation considerations.crash777 wrote: A step back, however... what is the setting that prevents users from accessing files not in their own account?
But, if I understand your goal (to protect multiple users that you are hosting on your VPS), here are some links that may help:
How VPS works: http://www.webintellects.com/solutions/ ... ervers.htm
suEXEC: http://httpd.apache.org/docs/1.3/suexec.html
Apache Security: http://httpd.apache.org/docs/1.3/misc/s ... _tips.html
Apache Require Directive: http://httpd.apache.org/docs/2.2/mod/core.html#require
- crash777
- Joomla! Explorer
- Posts: 334
- Joined: Sat Sep 03, 2005 1:56 am
- Location: Upstate New York
Joomla Administrator's Security Checklist Discussion
hmm.. thank you for the detailed links.. I will be reviewing them as well.
I had thought you had a particular setting in mind like "Php open_basedir" that WHM can control. I was just curious if this is the setting that you might have been referring to...
I had thought you had a particular setting in mind like "Php open_basedir" that WHM can control. I was just curious if this is the setting that you might have been referring to...
Thanks!
Aaron
Aaron
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Joomla Administrator's Security Checklist Discussion
Nope, sorry. Actually, you're way over my head. I haven't used a VPS yet, but have been planning to move that way someday. How do you like it so far?
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Joomla Administrator's Security Checklist Discussion
Well, when it comes to something like that you have 3 options basically. And they would probably be arranged as below in order of difficulty if the top is easiest and the bottom is the most difficult to implement correctly.
PHP open_basedir
PHP SafeMode
Apache suExec
Then of course, you can combine them as well for those little bits of extra security.
PHP open_basedir
PHP SafeMode
Apache suExec
Then of course, you can combine them as well for those little bits of extra security.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Intern
- Posts: 73
- Joined: Fri Sep 02, 2005 4:19 pm
Joomla Administrator's Security Checklist Discussion
I think under Joomla extensions you could put a reminder to remove any unused extensions and double check that the folders and files were actually removed.
Also as an aside and a tip for newbies. I was a bit of a nervous wreck about a few sites I had done for clients until I took the time to test out the backups by getting an actual development server. It's only $3.95 per month on Godaddy and uploaded the sites there to see if the backups were OK and how tough it would be to restore, move a site to a new server etc.. I had one that was still on Mambo with an older version of Menalto Gallery. I uploaded and upgraded everything to Joomla on the development server without any real hitches, you just need to tweak a few configuration files in most cases. But by doing it all on a development server I'm pretty confident I should be able to handle a worst case scenario without to much difficulty. This makes me sleep better, but make sure you have good backups.
Also as an aside and a tip for newbies. I was a bit of a nervous wreck about a few sites I had done for clients until I took the time to test out the backups by getting an actual development server. It's only $3.95 per month on Godaddy and uploaded the sites there to see if the backups were OK and how tough it would be to restore, move a site to a new server etc.. I had one that was still on Mambo with an older version of Menalto Gallery. I uploaded and upgraded everything to Joomla on the development server without any real hitches, you just need to tweak a few configuration files in most cases. But by doing it all on a development server I'm pretty confident I should be able to handle a worst case scenario without to much difficulty. This makes me sleep better, but make sure you have good backups.
- Jenny
- Joomla! Champion
- Posts: 6206
- Joined: Sun Aug 21, 2005 2:25 pm
- Contact:
Re: Joomla Administrator's Security Checklist Discussion
I have to concur with Brian on this, and I cannot stress it enough! Each person as an individual is responsible for their own backups, both files and databases, in fact every host I have ever hosted with insists on this in their terms of service. That is not to say that they did not or do not have backup systems in place, but those backup are for their own use to restore their servers in case of mishap. They are not responsible for restoring your site, or any file that you wish to have restored on a whim, as this takes a huge amount of time for them. Some hosts may help you out if you have issues, and some will charge you for restoration services, but I have never seen a terms of service that stated they are responsible for backing up your files. People make this mistake all of the time, please don't perpetuate the notion that hosts are responsible for backing up people's websites, as it is incorrect.brian wrote:Never rely on anyone else for backup. Take responsibilty for your own database and ensure that YOU keep it backed up.rliskey wrote:
Be sure you know your ISP's backup procedures. Test the backup process before you really need it by requesting a specific file from the previous day.
The backup process that I have seen in the user control panels I have used are almost always a one click solution. Click on backup, the backup is created in a zip file. Download the zip file. Same with databases. You can then download the backup and check for integrity.
Please change or even better remove the reference to hosts being responsible for backing up websites. Individuals and only individuals are responsible for their site's data. I don't know of any host's terms of service that does not specifically state this.
Edit: Just a clarification: I don't know of any reputable hosts that do not specifically state in their terms of service that the account holder is responsible for their own data backups.
Last edited by Jenny on Thu Aug 03, 2006 12:34 pm, edited 1 time in total.
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com
Marpo Multimedia http://marpomultimedia.com
- spike00
- Joomla! Intern
- Posts: 55
- Joined: Wed Jan 25, 2006 10:56 pm
- Location: Busto Arsizio (VA) - Italy
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
We have managed servers (this means that there's another company who manage our servers).
Our hosting service include raid1 mirroring and daily incremental backup + total backup every 15 days on a different machine used only for backups. Disaster recovery service and restore on demand are included.
We have a specific contract with the external company just for backup service.
This not to make spam of course (I won't write any url), just to say that there are many levels of service.
Our hosting service include raid1 mirroring and daily incremental backup + total backup every 15 days on a different machine used only for backups. Disaster recovery service and restore on demand are included.
We have a specific contract with the external company just for backup service.
This not to make spam of course (I won't write any url), just to say that there are many levels of service.
- brian
- Joomla! Master
- Posts: 12813
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
I still say that you should NOT rely on anyone else to do your backups no matter what you pay them.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- spike00
- Joomla! Intern
- Posts: 55
- Joined: Wed Jan 25, 2006 10:56 pm
- Location: Busto Arsizio (VA) - Italy
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
Hmmm... is simply outsourcing like many other services, like fiscal stuff, safety, security. Why is normal to rely on others about fiscal, safety, security and not backup?
Here in Italy we have strict laws about privacy that involve backup policies (among many other things), so is easier to give backup responsability to who manages servers - speaking about online data - (this way they MUST assure a good backup policy according to the law: if something goes worng, not only they break the contract but the law too!)
Here in Italy we have strict laws about privacy that involve backup policies (among many other things), so is easier to give backup responsability to who manages servers - speaking about online data - (this way they MUST assure a good backup policy according to the law: if something goes worng, not only they break the contract but the law too!)
- Jenny
- Joomla! Champion
- Posts: 6206
- Joined: Sun Aug 21, 2005 2:25 pm
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
If you have specifically contracted an agency to handle your backups then you are taking responsiblity for your own backups. Please do not confuse what I posted, with someone having specifically contracted someone else to do their backups. It is not the same thing.
Most hosting companies have it specifically in their terms of service that they are not responsible for data loss.
Most hosting companies have it specifically in their terms of service that they are not responsible for data loss.
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com
Marpo Multimedia http://marpomultimedia.com
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
The backup issue generated the most debate so far. I've strengthened the wording in response.
I think being personally responsible for backups means different things in different situations, which may partly explain the range of opinions. But all agree that backups are vital.
Seems best for the checklist to stress the vital importance of backups as well as the ultimate inescapability of personal responsibility--no matter how that responsibility is managed.
I think being personally responsible for backups means different things in different situations, which may partly explain the range of opinions. But all agree that backups are vital.
Seems best for the checklist to stress the vital importance of backups as well as the ultimate inescapability of personal responsibility--no matter how that responsibility is managed.
Last edited by rliskey on Thu Aug 03, 2006 4:35 pm, edited 1 time in total.
- Tonie
- Joomla! Master
- Posts: 16553
- Joined: Thu Aug 18, 2005 7:13 am
Re: Discussion for: Joomla Administrator's Security Checklist
I wholeheartedly agree with Brian and Mmmedia. Things can and will go wrong. You can be protected by whatever law or contract made with a 3rd party, in the case of trouble this doesn't get your site or data back. Even working at big customer sites, I don't fully trust backup systems and always take copies of my own documents
- brian
- Joomla! Master
- Posts: 12813
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
To re-emphasise why you should never rely on anyone else for backups (even if you contract them to do so) read this http://usertools.plus.net/status/archive/1154603560.htm
Which goes on to tell the customers of a major isp that they have irretreviably lost 700gb of clients email.
Which goes on to tell the customers of a major isp that they have irretreviably lost 700gb of clients email.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- spike00
- Joomla! Intern
- Posts: 55
- Joined: Wed Jan 25, 2006 10:56 pm
- Location: Busto Arsizio (VA) - Italy
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
I get your point, but managing backup by yourself is possible (but still very expensive in term of time) only for small sites, considering a daily backup.
I've a friend whose db is about 200Mb (e-commerce + forum). Obviously is a pain to dump such a big db, not speaking about bandwidth: 200x30 = 6Gb month just for db backup.
And if you manage 10/50/100 sites?
With our data on 2 hd (raid1) and on a different machine (not online) I feel quite safe.
At the end is only a matter of costs and benefits.
Of course I totally agree with the importance of paying attention to which level of service your hosting provider offers.
I've a friend whose db is about 200Mb (e-commerce + forum). Obviously is a pain to dump such a big db, not speaking about bandwidth: 200x30 = 6Gb month just for db backup.
And if you manage 10/50/100 sites?
With our data on 2 hd (raid1) and on a different machine (not online) I feel quite safe.
At the end is only a matter of costs and benefits.
Of course I totally agree with the importance of paying attention to which level of service your hosting provider offers.
- eyezberg
- Joomla! Hero
- Posts: 2859
- Joined: Thu Aug 25, 2005 5:48 pm
- Location: Geneva mostly
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
Some points about this sticky:
1. good idea, should be integrated as default content in installer sql! Just so it's right there in your face, instead of somewhat hidden here.
2. but: some of the things in there should be explained, for example:
* i have no idea what shell access is and can be used for
* i have absolutely no idea how to "Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests", no idea what that could be.. (yeah, go ahead and hack my site now.. )
* i have no idea how to "Check the "raw logs" for real detail", dunno what "raw logs" are, and what "real detail" I should be looking for!
* how do I "Configure Apache mod_security and mod_rewrite filters to block PHP attacks"? no idea!
* most stuff listed under "PHP" wouldn't know how/what to do..
About 3P extensions: how do I know if I can trust a site? If I click a download link here on the extensions site, and it takes me to another website, is that to be trusted because it's linked here? Or is there a list somewhere?
And all the interesting things listed under "Joomla! Hardening" would be cool to use, except I got no clue how, for ex. "Move configuration files above Web root using symlinks or modified path variables" sounds like something I'd want to do too..
So, it all sounds very interesting for someone who knows how to DO all this stuff, but there's all the details missing for all those who don't..
1. good idea, should be integrated as default content in installer sql! Just so it's right there in your face, instead of somewhat hidden here.
2. but: some of the things in there should be explained, for example:
* i have no idea what shell access is and can be used for
* i have absolutely no idea how to "Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests", no idea what that could be.. (yeah, go ahead and hack my site now.. )
* i have no idea how to "Check the "raw logs" for real detail", dunno what "raw logs" are, and what "real detail" I should be looking for!
* how do I "Configure Apache mod_security and mod_rewrite filters to block PHP attacks"? no idea!
* most stuff listed under "PHP" wouldn't know how/what to do..
About 3P extensions: how do I know if I can trust a site? If I click a download link here on the extensions site, and it takes me to another website, is that to be trusted because it's linked here? Or is there a list somewhere?
And all the interesting things listed under "Joomla! Hardening" would be cool to use, except I got no clue how, for ex. "Move configuration files above Web root using symlinks or modified path variables" sounds like something I'd want to do too..
So, it all sounds very interesting for someone who knows how to DO all this stuff, but there's all the details missing for all those who don't..
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
Well, in reality most of those things go well beyond the scope of a Joomla! article and in that fashion, most of them have several thousands of pages worth of documentation and howtos available elsewhere on the web. It would take quite seriously, a book, to explain all of that stuff in enough detail to make it useable to everyone. However, I am sure that you can find lots of information regarding those suggestions by utilizing your favorite search engine. And if that won't work, there is always the option of hiring a security professional to do it for you. (Also suggested in that checklist).
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- eyezberg
- Joomla! Hero
- Posts: 2859
- Joined: Thu Aug 25, 2005 5:48 pm
- Location: Geneva mostly
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
No book needed, just adding links to relevant readings might do it.
As it is now, it's like a TOC both no pages after.
These things might go beyond the scope of this list, but I don't see why more information about some points couldn't be available here (or in Help or Dev), as Security concerns seem to be getting stronger after all those hacks lately. One short intro article per item, expaining what it is/means/does and where to look for more info.
I think it is disappointing to tell users: you should really secure your site by doing all these things, but not telling them how, no?
And what about "trusted sites"?
As it is now, it's like a TOC both no pages after.
These things might go beyond the scope of this list, but I don't see why more information about some points couldn't be available here (or in Help or Dev), as Security concerns seem to be getting stronger after all those hacks lately. One short intro article per item, expaining what it is/means/does and where to look for more info.
I think it is disappointing to tell users: you should really secure your site by doing all these things, but not telling them how, no?
And what about "trusted sites"?
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
The reason this list exists as a forum post is so we can quickly benefit from our collective knowledge. It is not an official Joomla! document; it is just my best shot at collecting and sharing what I have learned and been told by others.
The best way to improve this list is to contribute to it. If you find important information that should be here, you could PM me or post it to this topic. I watch this topic daily and incorporate suggestions into the list as soon as possible.
I agree that tight summary paragraphs for each item would be a great addition. If anyone has deep knowledge of particular items and would like to write a summary, I'm sure thousands of worried Joomla! administrators would be very grateful.
The best way to improve this list is to contribute to it. If you find important information that should be here, you could PM me or post it to this topic. I watch this topic daily and incorporate suggestions into the list as soon as possible.
I agree that tight summary paragraphs for each item would be a great addition. If anyone has deep knowledge of particular items and would like to write a summary, I'm sure thousands of worried Joomla! administrators would be very grateful.
- eyezberg
- Joomla! Hero
- Posts: 2859
- Joined: Thu Aug 25, 2005 5:48 pm
- Location: Geneva mostly
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
Thanks rliskey,
I understand how this list was meant and appreciate you doing this, its just as you say: reading it leaves you somewhat worried as to what and how to do. And hiring a security expert for a personal site is not really an option..
So I do hope there are some experts willing to contribute a few more details/ links to post with how-tos or other explanations.
thanks
I understand how this list was meant and appreciate you doing this, its just as you say: reading it leaves you somewhat worried as to what and how to do. And hiring a security expert for a personal site is not really an option..
So I do hope there are some experts willing to contribute a few more details/ links to post with how-tos or other explanations.
thanks
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
A "trusted site" is one that *you* trust. Examples of sites *I* trust include:eyezberg wrote: And what about "trusted sites"?
http://forge.joomla.org -- Added by popular demand. Didn't mean for this to become an official list!
http://www.joomla.org
http://www.apache.org
http://www.php.net
http://www.mysql.com
http://www.gnu.org
http://www.truthout.org
Your list may vary. There are very few sites hosting third party extensions that I trust. I don't think you should either.
Last edited by rliskey on Wed Aug 09, 2006 8:01 pm, edited 1 time in total.
- eyezberg
- Joomla! Hero
- Posts: 2859
- Joined: Thu Aug 25, 2005 5:48 pm
- Location: Geneva mostly
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
What about http://forge.joomla.org ?
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
- Tonie
- Joomla! Master
- Posts: 16553
- Joined: Thu Aug 18, 2005 7:13 am
Re: Discussion for: Joomla Administrator's Security Checklist
Regarding Forge. All components that are in Robs list and are still having security issues that are know, have been set to "project member access" only. I am in the process of searching for projects that also distribute an (old) Joomla distribution (and searching for empty projects).
- eyezberg
- Joomla! Hero
- Posts: 2859
- Joined: Thu Aug 25, 2005 5:48 pm
- Location: Geneva mostly
- Contact:
Re: Discussion for: Joomla Administrator's Security Checklist
Thanks Tonie, efforts much appreciated.
Maybe should be announced somewhere so dev's (and downloaders) are aware of that?
Maybe should be announced somewhere so dev's (and downloaders) are aware of that?
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com
- Tonie
- Joomla! Master
- Posts: 16553
- Joined: Thu Aug 18, 2005 7:13 am
Re: Discussion for: Joomla Administrator's Security Checklist
Good idea. I will create a sticky in the Forge forum later on.
I do use the developer contact information in Forge to contact the developer when a security issue has been found. The current Robs list has been done last week. When a new one has been found, a developer can receive two mails, extensions and Forge.
I do use the developer contact information in Forge to contact the developer when a security issue has been found. The current Robs list has been done last week. When a new one has been found, a developer can receive two mails, extensions and Forge.
Advertisement