[GLLUG] Securing Joomla

Daniel Hedlund daniel at digitree.org
Thu Oct 5 09:28:37 EDT 2006


Caleb Cushing wrote:
> In the Current stable release of Joomla their are some major security
> holes. Including lack of SSL (or other encryption) and plain text
> password submission, for the admin interface. I'm wondering what our
> webmasters at gllug have done to secure this as I have recently begone
> work on my own joomla site.

As Joomla is written in Apache, you should be able to secure 
communications with OpenSSL (ie. HTTPS).  I wouldn't consider Joomla's 
login interface sending a plain-text password to be insecure in itself. 
  Most web interfaces would wrap their communications in an SSL layer so 
the plain text password would be encrypted to anyone trying to 
eavesdrop.  If you set up HTTPS support in Apache (which is very easy 
with most modern distros), you need to make sure that you don't use the 
default certificates that come with Apache; the private key is the same 
across installations, thus providing almost no additional security.  See 
the following website for a guide on using SSL with Joomla:
http://www.netshinesoftware.com/using-an-ssl-certificate-with-your-joomla-website.html

Another thing you could look into is a product called Suhosin, aka the 
"Hardened PHP Project":
http://www.hardened-php.net/suhosin/index.html

It's a binary-compatible replacement for PHP that helps to protect 
against unknown PHP vulnerabilities.  Unfortunately, I don't believe 
that any of vulnerabilities being reported in the Joombla project would 
be fixed by Suhosin.  Most of the security problems in their advisories 
are due to programming errors on the part of the developers such as 
failing to verify that input passed to a function was valid and not 
checking against other potentially malicious strings within individual 
modules.

You should have a look at the Joomla forum, especially the Security FAQs 
which provides additional advice on security their product:
http://forum.joomla.org/index.php/board,322.0.html

General security forum for Joomla:
http://forum.joomla.org/index.php/board,267.0.html

Overall, there appear to have been a consider number of security 
vulnerabilities in Joomla that would make me a little bit worried.  If 
you have a look at their security forum (above) there are a considerable 
number of posts relating to security issues during the last few days. 
Unless you're planning to restrict access to only an internal group of 
people that you trust reasonably well, you will need to keep a close eye 
on security advisories for this product.

Cheers,

Daniel Hedlund
daniel at digitree.org


More information about the linux-user mailing list