Security concepts?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
quo
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Wed Aug 01, 2007 11:10 am

Security concepts?

Post by quo » Thu Aug 16, 2007 10:55 am

Hello J! team,

I have a question: where can i found information about security concepts for Joomla 1.5? I am interested in secure software for my sites, and i need some background information before i start to review Joomla source code security aspects and consider to move my sites to Joomla engine.

Thank you!

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Security concepts?

Post by RobS » Sun Aug 19, 2007 8:26 pm

Unfortunately, the information you are probably looking for has not been put together in any sort of real documentation yet.  It is mostly scattered across the forums, mailing list, and people's heads.  If you could be a bit more specific with what you are looking for, we might be able to direct you to some sources.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
quo
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Wed Aug 01, 2007 11:10 am

Re: Security concepts?

Post by quo » Tue Aug 21, 2007 3:50 pm

Hi,

Thank you for your reply. What i mean is:

How does Joomla 1.5 consistently...
... prevents SQL injections?
... prevents PHP injections?
... prevents XSS injections?
... limits an access to the data objects (such as access policies "group/user X can read/write data Y")?
...  secures itself against session hijacking?
... validates posted files?

Please don't consider this thread as "Please tell my how to crack Joomla" request, i just want to analyze it in order to find possible leaks and to propose solutions. If i (or someone who reads this thread) were some kind of cracker, then he/she could do that by simple line-by-line or function-by-function code analysis. I also understand, that security leaks can occur due to technical errors in security concept implementation. And they will always (and much more frequently) occur, if no such concept(s) exists. Security Concepts, or Rules are also very useful for 3rd party developers.

P.S. There is no 100% secure software ;)

ozmo
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Thu Mar 15, 2007 4:41 pm

Re: Security concepts?

Post by ozmo » Mon Aug 27, 2007 1:39 pm

quo wrote: Hi,

Thank you for your reply. What i mean is:

How does Joomla 1.5 consistently...
... prevents SQL injections?
... prevents PHP injections?
... prevents XSS injections?
... limits an access to the data objects (such as access policies "group/user X can read/write data Y")?
...  secures itself against session hijacking?
... validates posted files?
I would also like to know about the above mentioned preventions. Anyone?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Security concepts?

Post by RobS » Tue Aug 28, 2007 9:08 am

quo wrote: How does Joomla 1.5 consistently...
... prevents SQL injections?
... prevents PHP injections?
... prevents XSS injections?
... limits an access to the data objects (such as access policies "group/user X can read/write data Y")?
... secures itself against session hijacking?
... validates posted files?
Most of those problems go back to a lack of proper input filtering.  Joomla! 1.0.x had a very, very poor input filtering considering the state of the technology.  For Joomla! 1.5, we have built in a very nice input filtering and created a small catalog of known input types to make filtering data for erroneous input quite easy and fast.  Most of the time the input filter is utilized via JRequest::get*() which gets a request variable from the request super-globals and passes through the input filter to sanitize it.  For basic inputs it works extremely well and for more advanced inputs, it works decently but could stand some improvement.

To deal with SQL injections, we conduced a full audit of all SQL queries in order to weed out any potential injections and so far the results of that audit have been pretty good.  XSS is something that still struggle with form time to time and it is partially because we are not as strict on output filtering as we should be.  This is something I have been thinking about lately and something I would like to address further in 1.5.x and on.  Generally speaking though, the XSS injections that we have dealt with in the past were often due to the lack of input filtering to begin with.  We have gone to great lengths to fix the input filtering problem and the next step is to go the same distance to add the second laryer of protection against XSS attacks.

To prevent things like Remote File Inclusion vulnerabilities we have eradicated the path variables that were so heavily relied on in Joomla! 1.0.x.  In Joomla! 1.5 we use path constants instead so they cannot be manipulated by external influences.  Also, instead of having paths configured, most of the paths are derived from the location of the index.php script to make file inclusions much more secure and realiable.

Data access is something that is still not very advanced in Joomla! either because we do not use a data abstraction system other than our database class and the database class has no concept of privileges or ACL.  To do things like that we have to rely on other parts of the system to enforce who can do what and it is definitely in need of serious improvements.  We felt that it couldn't be tackled now because it would create serious backwards-compatibility problems and one of the major goals of 1.5 was to make it as backwards-compatible as we could.

In Joomla! 1.5 the default session handler is the database so it is not possible to create new session files on the file-system to inject sessions into a Joomla! installation.  I would have to check but I believe that we do not use a permission session ID system anymore either.  That means that the session ID must be generated by the system and that you cannot just pass in an arbitrary session ID for a new session.

Wheh... as for posted files... it does a better job of validating file names now than it did in Joomla! 1.0 but other than that there have been no vast improvements in this area.  At least, we don't try to parse files to figure out their mime type or anything like that.

I hope that gives you a bit of insight into J! 1.5... I realize it is brief but those are really open ended questions.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Locked

Return to “Security in Joomla! 1.5”