[GLLUG] Securing Joomla
Charles Ulrich
charles at idealso.com
Thu Oct 5 12:36:57 EDT 2006
On Thursday 05 October 2006 09:28, Daniel Hedlund wrote:
> Caleb Cushing wrote:
> > In the Current stable release of Joomla their are some major security
> > holes. Including lack of SSL (or other encryption) and plain text
> > password submission, for the admin interface. I'm wondering what our
> > webmasters at gllug have done to secure this as I have recently begone
> > work on my own joomla site.
>
> As Joomla is written in Apache, you should be able to secure
> communications with OpenSSL (ie. HTTPS). I wouldn't consider Joomla's
> login interface sending a plain-text password to be insecure in itself.
[snip]
I think part of what Caleb was originally getting at was that we don't
currently have an HTTPS option for logging into the Joomla administrative
interface. This is because gllug.org lives on a server that hosts multiple
sites as VirtualHosts, all with the same IP address. In order to do SSL, we'd
have to assign gllug.org it's very own routeable IP address which we've not
opted to do at this time.
For now, those with an administrative (or otherwise) account on gllug.org will
have to log in from a semi-trusted internet connection.
--
Charles Ulrich
Ideal Solution, LLC -- http://www.idealso.com
More information about the linux-user
mailing list