Earlier this month, PICnet helped the Housing Assistance Council (HAC) re-launch their website, RuralHome.org, on Soapbox, after their old one had been hacked. HAC wanted an easy-to-manage Web site that was secure and could maintain all of their relevant documents and information on providing housing assistance to the rural poor.
While design was not a part of this project, except for a couple of minor tweaks – the emphasis was to provide an option for the organization to quickly move more than 100 pages of content to a secure CMS – and by using Soapbox, they could do the majority of the work on their own with our guidance and strategy for success.
Overall, the project took two months to complete, including fixing up the old site’s code base and then moving the new information over to Soapbox. In the end, all goals were met: expediency, security, and simplicity.
So I know a lot of you think that Joomla! is incredible because it does everything, but as the saying goes “Computers are only as smart as the users using them”. Joomla does a lot of great things out of the box, but bad administrating can make any Joomla install unsafe.
Brad found this forum posting about the “sad, but true” things that some administrators do. For those of you who do these, I hope this opens your eyes and you learn from them, but for most of you, I know you’re doing the right thing.
The Joomla core developers use a combination of manual auditing and automated auditing. They use Acunetix Web Vulnerability Scanner for the automated auditing which has been donated to the Joomla Project. Acunetix WVS scans the site for SQL injection, cross-site scripting and other vulnerabilities, thereby averting possible hacker attacks.
This tool has been run against the 1.0.x trunk (in preparation for 1.0.12) 3 times in the last two months which gives the Joomla Team valuable reports that allows them to hardens the code. This is a great tool to be using, because we all know about human error.
RobS over at Joomla just posted about the Joomla winning an award for security:
Read it here.
Google has done it again. The great people at google have tried to make our lives easier with their new invention of Google Code Search. Now I can find bits of code that I otherwise wouldn’t have found. How does it do this? Well google now can traverse into compressed files like .zips and .tar.gz. What does this mean for you? You know how your a good webmaster and make make backups of your websites as websitebackup.tar.gz? Your configuration.php file is one of the files that you just backed up. Guess what. Now everyone on google code search can see your user name and password for your mysql database. How do I fight this? you might as. Simply put your backups below your website directory so it isn’t accessable via the web. Read more about it from the Joomla Developers here and from a Slashdot article here.
Early this morning, the Joomla team released an important security and bug fix upgrade. The new version 1.0.11 fixes the following issues:
1.0.11 contains the following fixes:
Your friends at PICnet highly recommend you upgrade your Joomla sites immediately. The discussion thread that’s ensued since the launch has been vibrant, with lots of good vibes sent to stingrey who put a ton of work in packaging this release and making it happen.
Woe is the PHP hosting provider that thinks leaving register_globals on is a good thing. At lunch today, the PICnet gang was chatting about security vulnerabilities that were occuring in many Joomla 3rd party components. The problem is that our wonderful Joomla core was taking flack for not being secure, but at the end of the day all the hacks seemed to be occuring because of poor programming and server hosts leaving on the dreaded “register_globals” on their servers.
I mean, this is PHP hosting 101, right?
Unfortunately, one of our great clients had a server that had register_globals turned on, and the hacker took full advantage. Moral of the story, please, please, check to make sure that register_globals is turned off. If your hosting provider has it turned on, turn and run the other way.