installer and security

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
docwilmot
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Tue Jan 03, 2006 10:16 am

installer and security

Post by docwilmot » Wed Jan 02, 2008 10:11 pm

i was asking why drupal does not have an installer for modules and was advised this was a huge security risk. but joomla obviously uses installers for components/mambots/themes/modules. in your experiences, is this a vulnerability in joomla then? have sites been compromised by way of the installer function?

eaton
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Sun May 20, 2007 3:33 pm

Re: installer and security

Post by eaton » Fri Jan 04, 2008 1:14 am

There's always some degree of risk when using a web-based interface to install software on your server rather than retrieving it yourself, taking a look to make sure it's what you want, and installing it yourself. However, one of major security risks in a traditional "click here to download a plugin and install it" system is that the web app itself becomes capable of over-writing its own code.

Joomla! has a built in FTP API that (if I understand correctly) avoids some of these security issues by using a secondary application on the server to do the actual downloading and installation. Some of the Joomla! gurus can probably shed more light on it, or correct me where I'm wrong.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: installer and security

Post by RussW » Sat Jan 05, 2008 3:25 pm

As far as I am aware, I have not heard of the installer being vulnerable, most exploits and compromises come from poor permissions settings, vulnerable extensiosn themselves and lose PHP settings.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/


Locked

Return to “Security in Joomla! 1.5”