NYCPHP Meetup

[forest]

On 4/22/07, David A. Roth <rothmail at comcast.net> wrote:
>
> What can be done to secure a Joomla site?
>

David,

Using the latest version I hope. As I understand, 1.0.12 underwent a full
security audit of the SQL queries used. Also I expect you're talking about
locking down an install that is known to be secure, ie you downloaded
evertying from trusted source, ran your sums, and checked all your
extensions
against known exploits, and that you've made sure you haven't already been
hacked (locking the barn door once the horse is gone, or rather, inside.)
Check all your write permissions, do the standard stuff to lock everything
down. Once you have your site set up you can make most everything
unwriteable as Joomla wirtes everything to the sqldb. Just to be on the safe
side close up directory traversing for anything youre not using. I'm sure
you know the drill.

Don't neglect the obvious like using secure (well-formed) passwords, not
dictionary words. The kiddies love to run their dictionary scripts.
Likewise, check your logs regularly to notice attacks or unusual traffic
patterns, or use a perl script to notify you. The majority of the exploits
I've seen are not for the base code but for the 3rd party plugins. This
applies to the nearly 1500 published extensions, and one expects unpublished
extensions should be treated with more caution. Check for known exploits for
each extension you are using or thinking of adding. Forum plugins are one of
the hardest hit, this has pretty much always been the case with php. If
you're using a forum, you'll definitely want to do a security check on that
module.

Assuming you're interested in php and not just content management, knowing
how how using registered globals enables exploits will help you understand
this type of attack. There are numerous pages on the web that explain this
vunerability, read them so you know what it is exactly that you are
preventing
from happening and give you a better understanding in general about php
security. If you want to stick to just content management then hire a
security professional skilled in php who will for a modest fee do a full
site audit.

If you're running on your own server you have more options, but also of
course more responsibility. That's just a few stardard security checks off
the top of my head, true sec. hardening is an art/science unto itself and
I'm sure others on the list will have other items on their basic checklist,
it is a very long list.


cheers,

Forest
TMG
InfoArchitecture+Design

ps- Congratualations on getting inducted into the Rock n Roll Hall of Fame
this year! (j/k)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20070423/4e02f98e/attachment.html>