Raising The Bar On Security

This board is for discussions about joomla.org blog posts.
deleted user

Raising The Bar On Security

Post by deleted user » Wed Jan 29, 2014 5:24 pm

Please use this thread to discuss the blog post "Raising The Bar On Security" (http://community.joomla.org/blogs/leade ... urity.html).

User avatar
alikon
Joomla! Champion
Joomla! Champion
Posts: 5941
Joined: Fri Aug 19, 2005 10:46 am
Location: Roma
Contact:

Re: Raising The Bar On Security

Post by alikon » Wed Jan 29, 2014 6:47 pm

can you share estimates of how many hosting company are affected
discovering the astonishing number of major hosts that have servers that are running significantly outdated software
:(
Nicola Galgano
i know that i don't know
www.alikonweb.it

Torettox84
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 101
Joined: Thu May 07, 2009 7:48 am
Location: Belgium
Contact:

Re: Raising The Bar On Security

Post by Torettox84 » Wed Jan 29, 2014 9:18 pm

@alikon I wouldn't exactly worry about the well being of hosters that can't keep their server stack up to date. If they can't update PHP 5.3 to the latest version that might not be the only department they are lacking in. Run, clients, run!

deleted user

Re: Raising The Bar On Security

Post by deleted user » Wed Jan 29, 2014 11:34 pm

@alikon - This can give some insight into the distribution of PHP 5 releases powering websites right now - http://w3techs.com/technologies/details/pl-php/5/all

Navigating down the report, you can see how much of that is PHP 5.3 based, then each release of 5.3. You can then see the numbers and estimate for yourself based on how many websites are powered by a release of PHP that will not be supported in Joomla 3.3.

mrjamie
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Sun Oct 23, 2011 9:57 pm

Re: Raising The Bar On Security

Post by mrjamie » Thu Jan 30, 2014 11:39 am

First of all I wanted to say that I fully support any efforts to increase security in Joomla and increasing the minimum requirement for PHP is a good idea. However, I think there is one problem that will be encountered:

Centos 6.5, the current stable release of Centos ships with PHP 5.3.3.
Jamie Derrick - http://jderrick.co.uk
Joomla consultant and developer

User avatar
jk1
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 213
Joined: Thu Sep 21, 2006 8:53 pm

Re: Raising The Bar On Security

Post by jk1 » Thu Jan 30, 2014 1:34 pm

I assume here in Germany quite a lot of hosters/website owners will be affected, because many of them still rely on the control panel Confixx, which was orginally developed by a german company and later bought by Parallels (Plesk), but unfortunately Parallels stopped the development of Confixx. The last official version does not support php 5.3 or 5.4 but many of these hosters applied unofficial patches to make it work with certain php 5.3 versions.

My webhoster, who provides an outstanding service for little money, is (afaik) currently using the latest Debian 6 package released in Fall 2013, which to the best of my knowledge comes with php 5.3.7 bundled. (That's the version my Joomla system information shows)
Last edited by jk1 on Thu Jan 30, 2014 2:41 pm, edited 1 time in total.

User avatar
DaveOzric
Joomla! Ace
Joomla! Ace
Posts: 1591
Joined: Sat May 22, 2010 10:29 pm
Contact:

Re: Raising The Bar On Security

Post by DaveOzric » Thu Jan 30, 2014 2:18 pm

Thanks for pointing this out. I use a installer in cpanel and would not of known this.

I would assume that PHP 5.4 is fine?

Also I thought J 3.5 was coming out in March?

deleted user

Re: Raising The Bar On Security

Post by deleted user » Thu Jan 30, 2014 10:22 pm

Support for PHP 5.4 or 5.5 isn't affected by this change; only the minimum version of PHP 5.3 we will support starting with the 3.3 release.

It was slipped into the holiday break post in December that we would be releasing a 3.3 which changes the timeline for future releases. We plan at least one additional post outlining a bit more about what we plan to accomplish with 3.3 in the next 2 weeks.

jamolina
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Feb 01, 2014 8:48 pm

Re: Raising The Bar On Security

Post by jamolina » Sat Feb 01, 2014 8:51 pm

Since you are going to make a change in this direction could also change the version to the latest Bootstrap: Bootstrap3.
Thanks,
Best regards,
Jose A.

User avatar
klipper
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Tue Nov 22, 2005 10:03 pm
Location: Netherlands

Re: Raising The Bar On Security

Post by klipper » Wed Feb 05, 2014 1:35 am

I fully agree with raising minimum php requirement to php 5.3.10. It will help making our Joomla websites much more secure.

For hosting companies: hosting is dynamic business, not static. This means you should keep your hosting software up to date! Just as website-owners are expected to keep their Joomla versions and extensions up to date.

Image

VinceMD
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Feb 07, 2014 12:00 pm
Contact:

Re: Raising The Bar On Security

Post by VinceMD » Fri Feb 07, 2014 12:09 pm

How are you ensuring that your system doesn't stop installations on Debian based hostings?

We as one of the biggest dutch webhosters already got some questions from customers since we believe your check doesn't account for the way Debian works with patches (Upstream updates).

For instance, I can see a check immediately in the index.php

Code: Select all

if (version_compare(PHP_VERSION, '5.3.1', '<'))
{
	die('Your host needs to use PHP 5.3.1 or higher to run this version of Joomla!');
}
Our version currently is 5.3.3-7+squeeze18 as reported by phpinfo which includes the 5.3.10 patch.
So how are you ensuring that this check also works with Debian based PHP installations?

We're quite afraid that although we actually run 5.3.10 your system would cause installation issues for our users.

(The above check is an example of how your system checks the version. The actual check that currently shows the message about Joomla 3.3 may be a different one but I believe it works the same).

ohman
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Feb 07, 2014 5:58 pm

Re: Raising The Bar On Security

Post by ohman » Fri Feb 07, 2014 6:08 pm

Agreeing with the CentOS poster, another problematic OS is RHEL 6 (and Scientific Linux). We have the very latest patches on the very latest RHEL OS, and, in October we will not be able to upgrade to Joomla 3.3 and will not receive security patches for the 3.2.x releases. There is no alternative for RHEL/CentOS/Scientific Linux users. These are enterprise OSes and should be supported by Joomla. I strongly suggest the Leadership team revise their policy of not "writing conditional tests and using software appropriate to the PHP features found" in this case.

This is a serious problem.

deleted user

Re: Raising The Bar On Security

Post by deleted user » Fri Feb 07, 2014 11:21 pm

We attempted to account for hosts running versions of PHP which report as <5.3.10 and that resulted in the major issues that were in the 3.2.0 release. Those systems which are reporting older PHP versions but have patched in fixes and features from newer releases cause problems because they are not the true PHP version they are reporting.

User avatar
jk1
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 213
Joined: Thu Sep 21, 2006 8:53 pm

Re: Raising The Bar On Security

Post by jk1 » Sat Mar 01, 2014 2:40 pm

Might be a stupid question (because I'm not a coder), but I'm curious if this library on Github could be used to lower the PHP requirement to 5.3.7 instead of 5.3.10:
https://github.com/ircmaxell/password_compat

deleted user

Re: Raising The Bar On Security

Post by deleted user » Sat Mar 01, 2014 3:30 pm

We are using that library actually. We chose to set 5.3.10 as our minimum due to higher level security vulnerabilities that existed before that version of PHP.

alexanderk
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Mar 18, 2014 10:08 am

Re: Raising The Bar On Security

Post by alexanderk » Tue Mar 18, 2014 10:30 am

I have to agree with the former posters. This decision is pretty stupid for every distro with backported patches. The only options for hosters who would like to run newer versions of Joomla is:

1) Build their own RPMs
2) Use Red Hat Software Collections [1]
2) Use unofficial repo channels like IUS, remi etc.

You should take in account that there might be websites that does NOT support PHP 5.4 on a server with a lot of clients. How do you keep both happy?

Running an enterprise distro with PHP 5.3.3 is perfectly fine with the password_compat library. You shouldn't force through newer versions, because you lack knowledge about frozen versions/don't care about the amount of headache this will cause in situations you might not have in mind when it was decided.

While I -do- support less vulnerable servers (either PHP or Joomla related), it's not your job to make PHP or hosts more secure, by screwing over those that is. If this was the case you might as well just stop supporting PHP 5.3 as it's basicly EOL...

References
1: https://www.redhat.com/about/news/press ... -databases

oarodlie
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Mar 20, 2014 3:45 pm

Re: Raising The Bar On Security

Post by oarodlie » Thu Mar 20, 2014 4:19 pm

Better security is good, but removing support for the most used distros (RHEL/CentOS/Debian) is a big no no.

You will end up with a worse senario if you don't allow PHP versions shipped with RHEL/CentOS/Debian. Either people will not use Joomla 3.3+ because their host don't support it (over 50%), or they wil use old vulnerable versions (<3.2.x). Both just as bad...

meli3
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri May 02, 2014 2:25 pm

Re: Raising The Bar On Security

Post by meli3 » Fri May 02, 2014 3:21 pm

Hello mbabker,

It's definitely a great idea to set php version requirements to ensure a minimum of security patches have been applied, but...

Why can't Joomla do a more complex version check?

for example look for ANY of the following:

1 php 5.3.10+
2 Redhat backported php 5.3.3-5
3 Centos 6 backported php 5.3.3-7
3 Debian version...

A LOT of sites are on RHEL/CentOS/Debian and are fully up to date with security patches, but due to 'backporting' the version number is 'frozen' and will never pass your new test as it is currently written. It's not accurate to say that those versions of PHP are any less secure than 5.3.10.

Joomla! should also support those popular OS platforms. I know you don't want to encourage people to start custom compiling PHP because then it is unlikely that most of them will be properly maintained. This is why we use repositories; this is why there is backporting.

This problem can be simply solved by updating your minimum version criteria to account for backporting and thereby encompass these mainstream platforms.

Thanks for your consideration.

Greg_E
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue May 06, 2014 3:10 pm

Re: Raising The Bar On Security

Post by Greg_E » Tue May 06, 2014 3:16 pm

Found this thread through a google seach. As a new user to both CentOS 6.5 and Joomla! all I can say is this new requirement for the higher PHP version is tripping me up. I know the recommendations from the CentOS developers is to never update a package outside of the the stable release channel, and this is because all security fixes get back ported by people who know what they are doing to keep all the rest of us secure with a long term operating system. Living on the edge is fine for development operating systems like Fedora, but you need to drop back to a stable long term version on servers that will be around longer than 6 months at a time.

Just my two cents, wish I had the knowledge to suggest a better way of doing things, but I don't.

[edit] What a fully patched CentOS 6.5 system looks like, can't get rid of the Jommla! 3.3 upgrade notice
joomla_admin.png
You do not have the required permissions to view the files attached to this post.

deleted user

Re: Raising The Bar On Security

Post by deleted user » Tue May 06, 2014 6:53 pm

meli3 wrote:Hello mbabker,

It's definitely a great idea to set php version requirements to ensure a minimum of security patches have been applied, but...

Why can't Joomla do a more complex version check?

for example look for ANY of the following:

1 php 5.3.10+
2 Redhat backported php 5.3.3-5
3 Centos 6 backported php 5.3.3-7
3 Debian version...

A LOT of sites are on RHEL/CentOS/Debian and are fully up to date with security patches, but due to 'backporting' the version number is 'frozen' and will never pass your new test as it is currently written. It's not accurate to say that those versions of PHP are any less secure than 5.3.10.

Joomla! should also support those popular OS platforms. I know you don't want to encourage people to start custom compiling PHP because then it is unlikely that most of them will be properly maintained. This is why we use repositories; this is why there is backporting.

This problem can be simply solved by updating your minimum version criteria to account for backporting and thereby encompass these mainstream platforms.

Thanks for your consideration.
We tried with 3.2.0 and it failed massively. The only workable solution we could come up with was drawing the line at 5.3.7 minimum. We elected to raise to 5.3.10 because of a major security issue fixed between 5.3.7 and 5.3.10.

partitura
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 27, 2009 2:02 pm

Re: Raising The Bar On Security

Post by partitura » Wed May 07, 2014 8:39 am

In my case, I have a lot of clients using websites with Joomla 1.5 and 2.5 and they don't want to pay for an upgrade of their websites to Joomla 3 because the websites are working perfectly, the server is secured and never had problems.
For some of them, I tested a new server with php 5.3.7 and that caused problems, so upgrading the entire server to php 5.3.10 or higher will cause me problems.
At this moment I manage multiple hosting accounts on different companies, the support is very good but the php version is 5.2-5.3, less than 5.3.10.
As most of the hosting companies does not offer 5.3.10 or higher, I will look for the Wordpress CMS for the future websites. You should consider that a big disappointment for one Joomla user with multiple websites. The decision is yours but the graphics shows worse for Joomla 3 as far as I can see.

User avatar
gray_penguin
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Mon Aug 06, 2007 6:38 pm

Re: Raising The Bar On Security

Post by gray_penguin » Wed May 07, 2014 3:43 pm

Well, I have been a Joomla User since the Mambo days (11 years). This PHP "Security" requirement is a deal breaker for me. I run CentOS on all my servers. I will not be forced to custom build packages and make my servers less secure just because Joomla can not figure out that 5.3.3-27.el6_5 is basically the same as 5.3.10.

I guess I will have to try to find an alternative. Maybe PyroCMS....

deleted user

Re: Raising The Bar On Security

Post by deleted user » Wed May 07, 2014 4:00 pm

If anyone is aware of a highly reliable method in which these modified PHP 5.3.3 builds could be checked for compliance, we would be open to seeing if we could make them work. As I mentioned before, we have tried a check which used a combination of version number or features, specifically around the bcrypt changes in 5.3.7, and could not come up with a working solution.

User avatar
jk1
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 213
Joined: Thu Sep 21, 2006 8:53 pm

Re: Raising The Bar On Security

Post by jk1 » Wed May 07, 2014 4:21 pm

I suppose for CentOS users, two possible solutions are these:
http://webtatic.com/packages/php54/
http://rpms.famillecollet.com/enterprise/6/

merced
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu May 08, 2014 2:02 pm

Re: Raising The Bar On Security

Post by merced » Thu May 08, 2014 3:20 pm

According to CVE Details, PHP 5.3.3, the version that is included in RHEL 5 (as php53) and RHEL 6 (as php) and the associated clones (CentOS, Scientific Linux, etc.) should have 61 vulnerabilities if unpatched. Since Red Hat backports patches, the version number doesn't tell the whole story when it comes to the security of the package.

What follows is a list of all 61 CVE vulnerabilities for PHP 5.3.3 and the associated information about that from Red Hat.
  1. CVE-2014-2497 Low Impact; Possible Future Fix
  2. CVE-2013-6420 Patch backported
  3. CVE-2013-4635 Not Vulnerable
  4. CVE-2013-4248 Patch backported
  5. CVE-2013-4113 Patch backported
  6. CVE-2013-2110 Not Vulnerable
  7. CVE-2013-1824 Not Vulnerable
  8. CVE-2013-1643 Patch backported
  9. CVE-2013-1635 Not a security issue
  10. CVE-2012-3450 Not a security issue
  11. CVE-2012-3365 Not a security issue
  12. CVE-2012-2688 Patch backported
  13. CVE-2012-2386 Patch backported
  14. CVE-2012-2376 Not Vulnerable
  15. CVE-2012-2336 Patch backported
  16. CVE-2012-2311 Not Vulnerable
  17. CVE-2012-2143 Patch backported
  18. CVE-2012-1823 Patch backported
  19. CVE-2012-1172 Patch backported
  20. CVE-2012-1171 Not a security issue
  21. CVE-2012-0831 Patch backported
  22. CVE-2012-0789 Patch backported
  23. CVE-2012-0788 Not a security issue
  24. CVE-2012-0057 Patch backported
  25. CVE-2011-4885 Patch backported
  26. CVE-2011-4718 Userland code changes required
  27. CVE-2011-3268 Not vulnerable
  28. CVE-2011-3267 Not vulnerable
  29. CVE-2011-3182 Not a security issue
  30. CVE-2011-2483 Patch backported
  31. CVE-2011-2202 Patch backported
  32. CVE-2011-1938 Patch backported
  33. CVE-2011-1471 Patch backported
  34. CVE-2011-1470 Not vulnerable
  35. CVE-2011-1469 Patch backported
  36. CVE-2011-1468 Patch backported
  37. CVE-2011-1467 Not a security issue
  38. CVE-2011-1466 Patch backported
  39. CVE-2011-1464 Not a security issue
  40. CVE-2011-1398 Patch backported
  41. CVE-2011-1153 Not a security issue
  42. CVE-2011-1148 Patch backported
  43. CVE-2011-1092 Not a security issue
  44. CVE-2011-0755 Not a security issue
  45. CVE-2011-0754 Not vulnerable; Windows only issue
  46. CVE-2011-0753 Not a security issue
  47. CVE-2011-0708 Patch backported
  48. CVE-2011-0421 No response
  49. CVE-2010-4700 Not vulnerable
  50. CVE-2010-4699 Not a security issue
  51. CVE-2010-4698 Not vulnerable
  52. CVE-2010-4697 Not a security issue
  53. CVE-2010-4645 Patch backported
  54. CVE-2010-4409 Not a security issue
  55. CVE-2010-4150 Not a security issue
  56. CVE-2010-3870 Patch backported
  57. CVE-2010-3710 Patch backported
  58. CVE-2010-3709 Patch backported
  59. CVE-2010-3436 Not a security issue
  60. CVE-2010-2950 Patch backported
  61. CVE-2006-7243 Patch backported
So of the 61 identified vulnerabilities, Red Hat backported patches to 30 of them, showed that PHP as shipped on Red Hat systems was not vulnerable on 11 of them, and explained that 17 of them were not security issues. There are 3 issues to still discuss. One required a userland change to the code (CVE-2011-4718), something that I would be interested to know if Joomla has investigated. One had no response from Red Hat, but can clearly be seen as a severe edge case with little to no chance of being exploited. The last one (CVE-2014-2497) is the most recent and is still under evaluation for a possible fix even though is has such a low impact.

I started looking into all of these issues not knowing full well if Red Hat had addressed all of them, but I was confident that they had. Therefore, both RHEL 5 and RHEL 6 (and it's clones) have "raised the bar on security" and should be supported by Joomla 3.3.

floriansachs
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon May 12, 2014 11:22 am

Re: Raising The Bar On Security

Post by floriansachs » Mon May 12, 2014 12:01 pm

Hi,

I am also running into the problem using RedHat Enterprise Linux 6 and being no longer able to use Joomla 3.3 and up.

We use RHEL because of their backporting policy. Having a company backporting security fixes without braking current behaviour is very important for us and that's what we actually pay for.

By forcing us to use Non-Standard-Packages, Joomla actually lowers the bar on security, as you force your customers to use not-so-well-tested Packages, where it is a bit unkown how often and for how long the will be updated by the maintainers.

Additionally, I can not easily swap in a new PHP Version as other Software that comes with the distribution except the RHEL Version of PHP. Software written for RHEL actually can except der RHEL Version, as stability is the core and the heart of Enterprise Distributions.

I strongly suggest to revise your decision and support RHEL/CentOS and so on throughout their Lifetime, as they can actually easily jump over the new height of the security bar.

best regards
florian

nickbunyan
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Fri Feb 27, 2009 6:32 pm

Re: Raising The Bar On Security

Post by nickbunyan » Fri May 16, 2014 10:58 am

I have a number of client sites hosted by a company who are very professional and offer me a very good business model.

Sadly some of my clients are now telling me I need to upgrade them to Joomla 3.3 - and I have to tell them I can't - because in common with many other Hosters they are running Centos/Plesk, fully patched, but as far as Joomla is concerned "at the wrong level". The security of the environment and installation is obviously important, but refusing to install and forcing the Joomla user to consider alternate setups is clearly not the way to go.

A Warning message clearly stating "This installation is insecure if not supported by PHP version x.y.z" should be flagged up and echoed in the configuration panel, but blocking installation is counter-productive.

Joomla can only ever be as secure as the environment in which it 'sits' and should be inherently secure within the constraints of that environment, but it should not be the Joomla team who mandate what security is run on the host.

Very disappointed, and like Florian, I hope a workaround for this enterprise class setup arrives soon... :(

michalp
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sat Nov 09, 2013 3:44 pm
Location: Polska
Contact:

Re: Raising The Bar On Security

Post by michalp » Mon May 19, 2014 4:50 am

In some of hosts users can choose which version of PHP they want to use, simply by writing one line of code in .htaccess:

# Use PHP 5.4
AddHandler application/x-httpd-php54 .php

I believe, that this would be the best solution for everybody.

zjoomla22
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon May 19, 2014 12:52 pm

Re: Raising The Bar On Security

Post by zjoomla22 » Mon May 19, 2014 1:12 pm

Raising The Bar On Security!
I would say, that it should be better known for "Joomla - Raising the bar on taking down sites!"

The joomla upgrade should have had a server check in the upgrade process, which would stop the upgrade if the correct version of php was NOT installed.

We are using servers from one of the largest (and best in my eyes) server providers in the world. Even a new server purchased and setup with all security patches preloaded on yesterday (about 3 weeks after the release of Joomla 3.3), does not have php 5.3.10.

I wonder how many Joomla sites are already now down due to this raising of the bar?

How many more will go down when clients press update and the server does not have the correct version of php, but Joomla does the upgrade anyways, and then takes down the site?

Brad

nickbunyan
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Fri Feb 27, 2009 6:32 pm

Re: Raising The Bar On Security

Post by nickbunyan » Mon May 19, 2014 1:24 pm

@zjoomla22 - I think you might be getting a bit excited.

On all of my existing sites, clicking the upgrade button does NOT upgrade to 3.3. It upgrades to 3.2.4 and leaves the message "you should upgrade to 3.3" on the site - annoying, but not in all fairness, fatal.

I would be very interested in which 'world class provider' you are using, and also, if you were upgrading or installing from scratch?


Locked

Return to “Community Blog Discussions”