[GLLUG] Securing Joomla
Daniel Hedlund
daniel at digitree.org
Thu Oct 5 09:28:37 EDT 2006
Caleb Cushing wrote:
> In the Current stable release of Joomla their are some major security
> holes. Including lack of SSL (or other encryption) and plain text
> password submission, for the admin interface. I'm wondering what our
> webmasters at gllug have done to secure this as I have recently begone
> work on my own joomla site.
As Joomla is written in Apache, you should be able to secure
communications with OpenSSL (ie. HTTPS). I wouldn't consider Joomla's
login interface sending a plain-text password to be insecure in itself.
Most web interfaces would wrap their communications in an SSL layer so
the plain text password would be encrypted to anyone trying to
eavesdrop. If you set up HTTPS support in Apache (which is very easy
with most modern distros), you need to make sure that you don't use the
default certificates that come with Apache; the private key is the same
across installations, thus providing almost no additional security. See
the following website for a guide on using SSL with Joomla:
http://www.netshinesoftware.com/using-an-ssl-certificate-with-your-joomla-website.html
Another thing you could look into is a product called Suhosin, aka the
"Hardened PHP Project":
http://www.hardened-php.net/suhosin/index.html
It's a binary-compatible replacement for PHP that helps to protect
against unknown PHP vulnerabilities. Unfortunately, I don't believe
that any of vulnerabilities being reported in the Joombla project would
be fixed by Suhosin. Most of the security problems in their advisories
are due to programming errors on the part of the developers such as
failing to verify that input passed to a function was valid and not
checking against other potentially malicious strings within individual
modules.
You should have a look at the Joomla forum, especially the Security FAQs
which provides additional advice on security their product:
http://forum.joomla.org/index.php/board,322.0.html
General security forum for Joomla:
http://forum.joomla.org/index.php/board,267.0.html
Overall, there appear to have been a consider number of security
vulnerabilities in Joomla that would make me a little bit worried. If
you have a look at their security forum (above) there are a considerable
number of posts relating to security issues during the last few days.
Unless you're planning to restrict access to only an internal group of
people that you trust reasonably well, you will need to keep a close eye
on security advisories for this product.
Cheers,
Daniel Hedlund
daniel at digitree.org
More information about the linux-user
mailing list