Joomla! 1.0.11 Security Configuration Instructions

Joomla version 1.0 is end-of-life and are no longer supported. Please use Joomla 3.x instead.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
AmyStephen

Joomla! 1.0.11 Security Configuration Instructions

Post by AmyStephen » Tue Aug 29, 2006 10:55 pm

There are a number of security tasks that you must do to your website configuration to help reduce vulnerabilities. Hopefully, this will get you started -- or at least pointed in the right direction where to ask questions -- related to security and v 1.0.11. Things are getting much, much more secure due to the hard work of many people here. Their guideliness are very good even if it seems a bit complicated at first.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #1: Recommended PHP.INI settings
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The developers recommend you edit the php.ini file located in the php directory and make certain these parameters are set (as pictured below).
register_globals = 0
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = 0
magic_gpc_quotes = 1
safe_mode = 1
open_basedir = /dir/to/include/change_me/
Note, exceptions from Beat:

allow_f_url_open = 0  => true that it increases security, but it will break a few components (like "URL Links" backend function in Docman)

safe_mode = 1 => it's another line of defense on shared hosts, but might not allow Joomla! components, modules, extension installer to work depending on other safe_mode settings. Joomla 1.5 fixes that.
Function exec is sometimes (rarely) needed for some libraries (like ImageMagic).

If your host maintains this information, see if they will make changes.

If your host will not make these changes, please read this post "Secure it with php.ini" where it instructs you how to make your own php.ini files for each of your subdirectories in order to override the server settings.

NOTE: Beat lists SEVEN logical steps to getting your PHP settings changed that can help you think through your options if your web host will not make changes

For MUCH more GREAT information, please see the Joomla! Security Administrator's Checklist, starting with the PHP section ):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #2: Joomla! RG_EMULATION setting is `ON` instead of `OFF` in file globals.php
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
After the installation, the developers recommend you edit the globals.php file located in the root directory of your website for increased security.

Locate this parameter (as pictured next):
define( 'RG_EMULATION', 1 );
Change the 1 (as pictured above) to 0 (as pictured below):
define( 'RG_EMULATION', 0 );
WARNING: Some extensions will not work with this variable off.

In testing, the developers identified several and notified third party developers. Some fixes are already available. Review and report such extensions, and find upgrades, here: . Questions about this setting should also be asked in that thread.

You can leave the globals.php file without changes knowing you are choosing a diminished safety level.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #3: New htaccess file 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
After the installation, the developers highly recommend you use the blocking rules that are now part of the default .htaccess file delivered with 1.0.11. Those using an older htaccess file are strongly encouraged to add this to their file. See for more information or to ask .htaccess related questions. (If you are getting access denied messages to your website, it is very likely related to the htaccess file, post requests for help in this previous thread.)



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #4: Please take time to consider the Joomla! Security Administrator's Checklist:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The Joomla! Security Administrator's Checklist is available Rliskey maintains the previously linked to list, so, check back to that link frequently for updates. It is an EXCELLENT resource and he has made it EASY for us to learn how to secure our sites. Please spend time with this information. There is a link in that topic for you to use for questions or comments. Many people who are very knowledgeable in security issues watch that thread closely!


As you read through this information, it really starts to make sense. No worries, though, there are many who will help! It is worth our time to learn and there are many who will help us with questions. Thanks to all of you who have figured out this information for the Joomla! end user community.
Last edited by AmyStephen on Wed Aug 30, 2006 6:48 am, edited 1 time in total.

AmyStephen

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by AmyStephen » Wed Aug 30, 2006 6:48 am

Can this be stickied, please, during the next couple of weeks for the upgrade.  :)

AmyStephen

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by AmyStephen » Wed Aug 30, 2006 11:47 pm

Self stickied while i am helping ppl.

Mode Note: Making sticky for now. Amy you might want to submit to faqs forum
Last edited by dhuelsmann on Thu Aug 31, 2006 1:58 am, edited 1 time in total.

AmyStephen

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by AmyStephen » Thu Aug 31, 2006 2:01 am

Thanks so much, Dave! I think I will turn it over to Rlisky, Beat and Rob when we get through this. Beat has some good stuff -- it's referenced here. Beat is talking about a security section for the Help area. Anyway, thanks much! Amy

User avatar
bzmorrow
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Wed Sep 21, 2005 2:36 am

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by bzmorrow » Thu Aug 31, 2006 6:55 am

I have yet to find a php folder or a php.ini file? I searched locally and on my server. Including the full 1.0.11 package.

Am I missing something?

besides the php folder, or this a host thing?

bz
Last edited by bzmorrow on Thu Aug 31, 2006 4:02 pm, edited 1 time in total.

AmyStephen

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by AmyStephen » Thu Aug 31, 2006 8:59 am

Yes, sorry - that is on your host!

usk
Joomla! Intern
Joomla! Intern
Posts: 73
Joined: Wed Feb 15, 2006 11:53 am
Contact:

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by usk » Thu Aug 31, 2006 10:46 am

disable_functions = phpinfo

that also means that you can't see Php info in the system info in Joomla backend?

joomlaturk
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Thu Aug 18, 2005 10:40 pm
Location: las vegas USA
Contact:

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by joomlaturk » Fri Sep 01, 2006 4:53 am

bzmorrow wrote: I have yet to find a php folder or a php.ini file? I searched locally and on my server. Including the full 1.0.11 package.

Am I missing something?

besides the php folder, or this a host thing?

bz
shared hosting accounts do not have php.ini file in their folder.
you need to ask your hosting provider
but he is utilizing this file for whole server and will not change the way you want it.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/

AmyStephen

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by AmyStephen » Fri Sep 01, 2006 5:07 am

MamboTurk is likely correct that your web host will not be able to change shared PHP settings for *you*. And, if you find that to be the case, simply continue in the Step 1 area, above, to find alternatives specifically for your website. Pay close attention to Beat's "seven logical steps" to figuring out the best alternative.

Thanks, MamboTurk! Amy :)

babel
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sun Aug 13, 2006 6:07 pm

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by babel » Sat Sep 02, 2006 8:16 pm

AmyStephen

i'm still in awe with all your valueable posts -- just a sincere thank you for your hard work :)

just a note, i was one of the fortunate ones == my webhosting provider did change the global settings for me

so i may be possible depending on your host

AmyStephen thanks once again, for this post, all your posts and especially your post regarding tutorials, very informative, and bookmarked..

babel

User avatar
THE_AI
Joomla! Explorer
Joomla! Explorer
Posts: 252
Joined: Sat Jun 03, 2006 4:33 pm
Contact:

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by THE_AI » Sun Sep 03, 2006 8:16 am

AmyStephen thank you for the nice tutorial!

I have a question: What should we do, when the provider don't want to change register globals to 0, and we don't have any posibility to set registy globals to off for our account?

I suppose it is not possible to install Joomla 1.0.11 or?

kmcgee
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Sep 04, 2006 3:35 am

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by kmcgee » Mon Sep 04, 2006 3:56 am

"Installation Message #1: Recommended PHP.INI settings
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The developers recommend you edit the php.ini file located in the php directory and make certain these parameters are set"

Do I understand correctly that I must do Installation Message #1 before copying the 1.0.11 files over 1.0.8 files? And then do what is recommended in Installation Messages #2 and #3 after? Or does it not matter?

To recap, I must change #1, then overwrite my files, then do #2 and #3 and the ugrade will be complete?

Fixxx
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Sep 04, 2006 12:02 pm

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by Fixxx » Mon Sep 04, 2006 12:25 pm

Hi, help me please....
I can't login to admin backend after upgrade from 1.0.10 to 1.0.11, login and password is OK, but I see notification "You need to login" after sending login form. On the frontend login is successful.
Thank's

tunilove
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun Aug 13, 2006 9:09 am

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by tunilove » Sun Sep 10, 2006 1:01 pm

I  upagrde  to 1.0.11  with succes all work fine  but  i see this message in the global configuration any one can help 

Your version of Joomla! [ 1.0.11 Stable ] is
14 days old
Click to check ???????

AmyStephen

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by AmyStephen » Sun Sep 10, 2006 4:46 pm

Yikes! I have been offline for a week, I am sooooo sorry, guys. Thanks for the kind words, too, although it makes me feel even worse for leaving you all hanging!

@Tunilove - that is an acceptable message. It is a new feature just to remind us that we need to keep checking on new versions. Maybe the wording can be improved a bit so it doesn't alarm people. (It is so hard to communicate!)

@Fixxx - Did you check to see if any of your extensions are listed .

@kmcgee - Good question. Upgrade, then go through the installation steps. Since it is now a WHOLE WEEK later, I hope you have figured that out. SORRY!

@THE_AI - The article covers that possibility. Hopefully, you have read it, again, (blah - very difficult reading!) and found the following that will help you exhaust seven ways to get this done. However, Joomla! 1.0.11 CAN run without this setting. Just make DOUBLY sure you have good backup and restore ability. (And make sure of that anyway!)
NOTE: Beat lists SEVEN logical steps to getting your PHP settings changed that can help you think through your options if your web host will not make changes

@babel - Mom? Is that you? lol ... Babel - you can't imagine how that helped me. Thanks so much! I never get tired of kindness.

+++

Now ALL of you, if you are not getting answers to your questions after waiting a day, feel free to email me. (I could be busy and not answer awhile, but I will try to get in touch.) There are THOUSANDS of questions posted every day and people unfortunately get lost in the shuffle. We don't want that to happen!

Thanks guys! again, sorry for the delay. Hopefully, most or all of you have moved on! Amy :)

tunilove
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun Aug 13, 2006 9:09 am

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by tunilove » Mon Sep 11, 2006 4:32 pm

Welcome back  AmyS    ok thank you for your reply  well i imagine to change this message to say  :

  you version of Joomla is  XXXX    stable .....  14 days  since last update .... Click to check if new update  available


  for example  like this can be understood

lucraft
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Apr 10, 2006 4:49 pm
Location: UK

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by lucraft » Sat Sep 16, 2006 5:43 pm

Why not do what phpBB does.

Check the version number. If it's current then:

Your installation is up to date

if it's not current then

Your installation is out of date. Please upgrade.
I just knew I shouldn't have changed that.......

madness.productions
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Thu Jul 13, 2006 5:19 am

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by madness.productions » Sun Sep 17, 2006 2:06 am

What are the risks if i don't follow the security notice 1 and 2?
The globles and the php.ini ones.  ???

gjacob3412
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 185
Joined: Sun Jul 02, 2006 2:02 pm
Location: Centrual Kentucky, USA

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by gjacob3412 » Wed Sep 20, 2006 2:33 am

Email issue with Upgrade:

Since completing the upgrade, the Contact Us does not work.  I just looked at the confi.php file, and it is set correctly.  In ADMIN under MAIL it is set correctly.  Looking at the email rejection this is what you get:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  email@email.com


Updated - Disregard my question...  It's amazing what a few hours of being away from the computer, and a little sleep will do to a person.  While poking around the backend, adding a user manually,.. it dawned on me to look at the CONTACT information.

I am guessing that on upgrading, the contact info was defaulted.  I updated it, and corrected my issue.
Last edited by gjacob3412 on Wed Sep 20, 2006 1:25 pm, edited 1 time in total.

liangyuyang
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sun Oct 15, 2006 2:17 pm

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by liangyuyang » Sun Oct 15, 2006 2:22 pm

hao!

BTW, in the backend, I can not find out the image of big banner, how to change it by my own picuture?
You do not have the required permissions to view the files attached to this post.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: Joomla! 1.0.11 Security Configuration Instructions

Post by Tonie » Sun Oct 15, 2006 2:29 pm

This needs to be done in the index.php or css file of your template in /templates//


Locked

Return to “Upgrading - 1.0.x”