Slashdot Mirror
Joomla! Web Security
Stephen Brandon writes "It used to be that to set up a database-backed web site required at least a server guy, a database administrator, a programmer, and a designer. Joomla! and other modern CMS systems have opened the door to allow non-administrators to be able to set up complete e-commerce or informational sites, using great free software and easy-to-find commercial hosting. What then of security? A new book by Tom Canavan, Joomla Web Security, aims to bridge the knowledge gap, introducing Joomla! admins to a set of security tools, and skills sometimes found lacking in the Joomla! community." Read on for the rest of Stephen's review.
Joomla! Web Security
author
Tom Canavan
pages
248
publisher
Packt Publishing
rating
7
reviewer
Stephen Brandon
ISBN
1847194885 and 978-1-847194-88-6
summary
Useful but needs more Joomla! 1.5-specific content
Joomla! Web Security is Packt Publishing’s eighth Joomla! title, and they are to be congratulated for providing much-needed documentation for Open Source projects. Written by Tom Canavan and published in October 2008, it can be found under ISBN 1847194885 and 978-1-847194-88-6.
According to the back cover, this book is written for “anyone seriously using Joomla! for any kind of business With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.” Prior knowledge of Joomla is assumed, but prior knowledge of securing websites is not.
Why bother with a book on Joomla! security? In my experience, many people come to Joomla! from a design and content perspective. They are not server gurus, just people who know enough about design to select a good-looking template, then organize suitable content to meet the informational and marketing needs of the organization or business for whom they work.
Template – content – web host – the new site is up and running in short order. The first time the site goes down or the site is hacked however, such a site designer/administrator may well be struggling as the back cover quote suggests.
Although this volume is the only current one that I could find concentrating on Joomla! security, the Joomla! team does have a dedicated Security Task Force, and a fair amount of security information starting from http://docs.joomla.org/. The information on joomla.org, while comprehensive, is not as in-depth as most of the information in Joomla! Web Security.
Written in the author’s chatty, easy-to-read style, chapter 1 covers a lot of basics of Joomla! security, from checking that the installation files have not been tampered with, to choosing hosting, some php and apache settings, permissions, and setting up security metrics.
Given that the choice of hosting is one of the most crucial decisions determining site security and uptime, the author chooses to concentrate on some unexpected angles. Granted, the checklist of physical security is comprehensive (“Is there water detection under this raised floor? Do you have a man-trap entrance to the building?”), but the target audience might be better served by a similarly comprehensive checklist of how to choose safer shared hosting. Notable by its absence was any mention of suPHP, PhpSuExec (see tutorial) or any similar scheme for running PHP files under the ownership of the account-holder rather than the standard httpd or nobody user. Without this, any other client on your shared hosting can read your database credentials and almost certainly gain read-write access to your database — with it, clients on shared hosting are much more efficiently segregated, making shared hosting a more viable option for less security-critical installations.
Absent too was mention of Joomla! 1.5’s FTP layer. Whilst in Joomla! 1.0 you needed to set 777 permissions in order to install extensions or upload images and files via Joomla!, the FTP layer allows Joomla! to FTP these files to itself, maintaining a tighter permissions structure in the absence of suPHP or PhpSuExec.
The section “Setting Up Security Metrics” however shows the author’s strengths. This, chapter 2 “Test and Development” and chapter 10, “Incident Management”, prescribe a methodical approach to security, ensuring that you are well-prepared for any eventuality. For the more mission-critical of the sites that I administer, this has prompted me to review my procedures, but I suspect that these are chapters that will be glossed over by a majority of the target audience.
It’s this sort of dichotomy that mars the book slightly for me. What I would like to give to the Joomla! webmasters that I support as part of my day-job is a book that clearly explains common issues in the installation and administration of Joomla!. Joomla! Web Security seems to promise this, but isn’t willing to provide all the detail required by the less-experienced (no mention of what numerical file permissions actually mean, nor how to obtain the MD5 checksum of a file you downloaded), and seems a little too eager to jump up to higher-level management issues, as worthy as these topics are. And why is there a mini-tutorial on how to use the software development management system Lighthouse, when there are barely any step by step instructions with screenshots on specifically Joomla! topics anywhere in the book?
On a positive note, chapter 3’s “Tools” introduced me to some previously-unknown packages as well as some old friends. Every Joomla! administrator should become familiar with these: HISA (J! 1.0 only), the Joomla! Tools Suite (J!1.5 only in legacy mode), Joomla! Diagnostics (some problems on J!1.5), JCheck (J!1.5 only works in cron mode). The obvious issue is that many of these don’t operate fully or at all for Joomla! 1.5. The sections on NMAP, Wireshark, Metasploit and Nessus however are well written and relevant.
If anyone needs convincing that the threats to a Joomla! site are real, point them to the central chapters of this book. Here Tom Canavan lays out “How the Bad Guys Do It”, and details the anatomy of attacks. This is a real eye-opener and should be required reading for any budding site administrator. It’s good to see a checklist of further topics for study (p. 144).
Finally we return to more specifically Joomla! topics. A section of recipes for .htaccess and php.ini files covers such useful topics as apache’s mod_redirect, password protection and access control. The “Log Files” chapter is pleasingly Joomla!-specific and also covers some logfile analysis tools.
Joomla! Web Security is rounded off with an appendix summarizing some of the key points of the book, and listing port numbers, apache status codes and TLD domain codes. The list of critical settings for .htaccess and php.ini is prescriptive and useful in this format.
While writing this review I noticed that the author has written a previous volume on a similar topic: Dodging the Bullets — A Disaster Preparation Guide for Joomla! Based Websites. Critical reviews of that book suggested that it was aimed towards the larger corporate user of Joomla!, and held little for the Joomla! administrator who simply needed to know and understand the settings and tools required for site security. This volume redresses the balance somewhat, with more hands-on advice, and I would recommend it over Dodging the Bullets for the average Joomla! administrator.
Though Joomla! Web Security is a worthwhile addition to a Joomla! bookshelf, my wish would still be for an even more practical guide, particularly one addressing J!1.5 developments and going into much more detail about selecting a hosting partner. Even without this, however, there is a ton of good information here and I recommend the book.
Availability: On the publisher’s web page for this book you will find the TOC, general introduction, a link to the sample chapter, code download, and facilities for on-line purchase. Various discounts and bundles (including Adobe e-book) are offered on the site; hard copies are also available through Barnes and Noble and other usual channels.
Stephen Brandon is author of the popular MetaMod Joomla! module and web manager for an international non-profit organization."
You can purchase Joomla! Web Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
According to the back cover, this book is written for “anyone seriously using Joomla! for any kind of business With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.” Prior knowledge of Joomla is assumed, but prior knowledge of securing websites is not.
Why bother with a book on Joomla! security? In my experience, many people come to Joomla! from a design and content perspective. They are not server gurus, just people who know enough about design to select a good-looking template, then organize suitable content to meet the informational and marketing needs of the organization or business for whom they work.
Template – content – web host – the new site is up and running in short order. The first time the site goes down or the site is hacked however, such a site designer/administrator may well be struggling as the back cover quote suggests.
Although this volume is the only current one that I could find concentrating on Joomla! security, the Joomla! team does have a dedicated Security Task Force, and a fair amount of security information starting from http://docs.joomla.org/. The information on joomla.org, while comprehensive, is not as in-depth as most of the information in Joomla! Web Security.
Written in the author’s chatty, easy-to-read style, chapter 1 covers a lot of basics of Joomla! security, from checking that the installation files have not been tampered with, to choosing hosting, some php and apache settings, permissions, and setting up security metrics.
Given that the choice of hosting is one of the most crucial decisions determining site security and uptime, the author chooses to concentrate on some unexpected angles. Granted, the checklist of physical security is comprehensive (“Is there water detection under this raised floor? Do you have a man-trap entrance to the building?”), but the target audience might be better served by a similarly comprehensive checklist of how to choose safer shared hosting. Notable by its absence was any mention of suPHP, PhpSuExec (see tutorial) or any similar scheme for running PHP files under the ownership of the account-holder rather than the standard httpd or nobody user. Without this, any other client on your shared hosting can read your database credentials and almost certainly gain read-write access to your database — with it, clients on shared hosting are much more efficiently segregated, making shared hosting a more viable option for less security-critical installations.
Absent too was mention of Joomla! 1.5’s FTP layer. Whilst in Joomla! 1.0 you needed to set 777 permissions in order to install extensions or upload images and files via Joomla!, the FTP layer allows Joomla! to FTP these files to itself, maintaining a tighter permissions structure in the absence of suPHP or PhpSuExec.
The section “Setting Up Security Metrics” however shows the author’s strengths. This, chapter 2 “Test and Development” and chapter 10, “Incident Management”, prescribe a methodical approach to security, ensuring that you are well-prepared for any eventuality. For the more mission-critical of the sites that I administer, this has prompted me to review my procedures, but I suspect that these are chapters that will be glossed over by a majority of the target audience.
It’s this sort of dichotomy that mars the book slightly for me. What I would like to give to the Joomla! webmasters that I support as part of my day-job is a book that clearly explains common issues in the installation and administration of Joomla!. Joomla! Web Security seems to promise this, but isn’t willing to provide all the detail required by the less-experienced (no mention of what numerical file permissions actually mean, nor how to obtain the MD5 checksum of a file you downloaded), and seems a little too eager to jump up to higher-level management issues, as worthy as these topics are. And why is there a mini-tutorial on how to use the software development management system Lighthouse, when there are barely any step by step instructions with screenshots on specifically Joomla! topics anywhere in the book?
On a positive note, chapter 3’s “Tools” introduced me to some previously-unknown packages as well as some old friends. Every Joomla! administrator should become familiar with these: HISA (J! 1.0 only), the Joomla! Tools Suite (J!1.5 only in legacy mode), Joomla! Diagnostics (some problems on J!1.5), JCheck (J!1.5 only works in cron mode). The obvious issue is that many of these don’t operate fully or at all for Joomla! 1.5. The sections on NMAP, Wireshark, Metasploit and Nessus however are well written and relevant.
If anyone needs convincing that the threats to a Joomla! site are real, point them to the central chapters of this book. Here Tom Canavan lays out “How the Bad Guys Do It”, and details the anatomy of attacks. This is a real eye-opener and should be required reading for any budding site administrator. It’s good to see a checklist of further topics for study (p. 144).
Finally we return to more specifically Joomla! topics. A section of recipes for .htaccess and php.ini files covers such useful topics as apache’s mod_redirect, password protection and access control. The “Log Files” chapter is pleasingly Joomla!-specific and also covers some logfile analysis tools.
Joomla! Web Security is rounded off with an appendix summarizing some of the key points of the book, and listing port numbers, apache status codes and TLD domain codes. The list of critical settings for .htaccess and php.ini is prescriptive and useful in this format.
While writing this review I noticed that the author has written a previous volume on a similar topic: Dodging the Bullets — A Disaster Preparation Guide for Joomla! Based Websites. Critical reviews of that book suggested that it was aimed towards the larger corporate user of Joomla!, and held little for the Joomla! administrator who simply needed to know and understand the settings and tools required for site security. This volume redresses the balance somewhat, with more hands-on advice, and I would recommend it over Dodging the Bullets for the average Joomla! administrator.
Though Joomla! Web Security is a worthwhile addition to a Joomla! bookshelf, my wish would still be for an even more practical guide, particularly one addressing J!1.5 developments and going into much more detail about selecting a hosting partner. Even without this, however, there is a ton of good information here and I recommend the book.
Availability: On the publisher’s web page for this book you will find the TOC, general introduction, a link to the sample chapter, code download, and facilities for on-line purchase. Various discounts and bundles (including Adobe e-book) are offered on the site; hard copies are also available through Barnes and Noble and other usual channels.
Stephen Brandon is author of the popular MetaMod Joomla! module and web manager for an international non-profit organization."
You can purchase Joomla! Web Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Step 1: Create online security forum for e.$ CMSes.
Step 2: Log IP's. Troll the forum, looking for people blurting out useful information.
Step 3: ??? ^#`:x0000005`;
Step 4: Profit.
(Optional) Step 5: Chortle into large money pit.
I used Joomla! (gotta love applications with punctuation in the name) extensively in the past for several sites, but wound up getting frustrated with the amount of effort I had to put into maintaining them. For the work involved, it ended up making more sense to roll a custom "mini-CMS" platform for a couple of sites, which fit the needs of their systems precisely without any extra cruft.
These days, when friends ask for an easy web publishing platform I simply set them up with a WordPress site on one of my servers.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Who else hate the embedded exclamation mark ?
Clearly, neither the author of the book, nor reviewer understand web security.
If you want to learn about securing web servers, why not read Ivan Ristic's Apache Security?
Apparently, from the topics discussed in this review, this book has nothing to do with writing secure applications using the Joomla Framework. Seriously, file permission? Using Nmap? Nessus? Talk about using the wrong tools for the job. Not even the Joomla Security page has anything do with actual web application security.
How about going over topics like secure session management, input validation, parameterized queries, output entity encoding, etc?
Take a clue from OWASP and skip this book.
Out of principle, I refuse to use any product with an exclamation point its name. Join me, and let's fight this marketing evil together.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Great timing on the article... At least five vulnerabilities related to Joomla have been discovered since Christmas...
What's wrong with good old fashioned HTML? Those sites never, ever get hacked... Just give me 1 example... wait... oh... right.
... brought to you by the Department of Words That Don't Go Together.
Read my blog.
I've previously asked here for feedback on Joomla, and got some comments that gave me pause. I'd love to hear more from people who like Joomla (are you out there??). One complaint was that Joomla extensions often cost money, but I don't mind spending money if it will do what we need. So set cost aside please.
I need a CMS because many in my organization are not tech-savvy but need to update page content--and we've got thousands of pages. I do not want to code up my own CMS--too slow and costly. I'd much prefer to start with an OSS platform and customize. We have a site going up on Joomla now that will act as a test. We're also planning to test out Drupal, and maybe Plone (tougher due to Zope/Python learning curve?).
The site will be almost entirely content. It will need to be updated by non-technical staff, specifically uploading PDFs, creating new pages, and applying tags from multiple fixed taxonomies. It will need to handle user accounts and control editing permissions down to the page level. We do our own design so theming should be too hard, and the more flexible in content placement the better.
Thanks in advance.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
I found out the hard way when I did a half ass job at setting up Joomla! and not updating to the latest security patches. My website got redirected to a Russian website and the password to the database was scrambled. Had to redo everything. Make sure you enable FTP security, have a complex password for your admin/ftp/database accounts, and check your file permissions. Haven't had a problem since then.
You're blaming a programming language and database platform for large-scale security issues? The vast majority of security incidents are clearly traced back to programmers failing to practice basic safe coding techniques. You can write crappy, insecure code in any language, linking to any given database, running on any given platform.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
This is the fifth Joomla book review in the past year. How many do we need? What is the hard-on Slashdot has for Joomla, seriously?
Correction: a shitty programming language and database that encourage stupid behavior and make doing the right thing difficult.
C encourages stupid behavior, yet mysteriously remains the most commonly used programming language in terms of lines of code on the planet. Odd.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Well, you see I would but I have the use of an exclamation mark in names so much that I can't support your ban on the use of an exclamation mark in names since you used one in your post's title.
So now some, presumably competent, writer can paint by numbers, and have no idea when they make a fatal security mistake. Nice
While I personally feel Meh towards kitchensink-style cms's it's probable worth mentioning directory and/or file renaming, because sooner or later those morons that run automated scanners will exploit a vunerability that will effect you.
Quack, quack.
Actually, it doesn't. It assumes the programmer knows what they're doing and gives them free reign to do just that. It doesn't take a whole lot of screwing up for the application to go haywire a la segfault, bus errors, etc.
Stupid behavior, on the other hand, encourages stupid behavior, and picking a language which assumes you know what you're doing when you actually don't is the true mistake.
"I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
Mod me flamebait all you want, the Drupal-vs-Joomla "there can be only one" pissing contest is for babies. If you can't see that these two packages target completely different sets of needs, and that they are co-existing just fine, pull your head out.
Facebook is the new AOL
OWASP is excellent and should be required study for anyone writing web applications...
m-wielgo is right on another point too - this book is not about writing secure applications using the Joomla framework. It's for people setting up Joomla web sites, not for programmers.
There are other books available on Joomla programming, including one published recently, and such information belongs in those books.
There are many aspects to security. Good programming practise is extremely important, and if the underlying CMS is badly coded then there's no point in trying to teach good sysadmin on top of it. I don't happen to think that this is such a problem with Joomla, especially recently. Some of the extensions are another matter. But when you have over 4400 extensions available for Joomla you can't assume all of them are well coded, and you need some skills to evaluate things before putting them into production on your site.
Another side of security is physical security - well covered in this book.
Another is about making good decisions in the whole process - choice of CMS, choice of hosting, choice of add-ons. Some of this is covered in this book.
Another is about contingency planning and corporate responsibility, angles that Tom Canavan addresses at length.
And so the list goes on.
When there are so few books available to train budding Joomla admins, I think the choice of angle to take in a book is very important. What's going to help the most people get up to speed on good solid security practises, and avoid the greatest number of security incidents?
I need my admins to know about apache setup/security. File permissions. PhpSuExec etc. Good passwords. HTTP Basic Auth and SSL for admin tasks. Choosing a good host. How to evaluate Joomla extensions. Good backup procedures. Logging and how to read logs. Testing. Recognising attacks. Knowing when to fix symptoms vs when to reinstall from scratch and/or move hosting.
Many of these are covered in this book (to some degree), and for that I say it's useful. At the very least it's a good start, as a lot of the skills mentioned come with practise and experience.
Stephen Brandon
...I'm probably not going to use it.
While I'm not a fan of punctuation-included-names, since Joomla discussions seem to inevitably bring up the name, I'll say this: "!" aside, Joomla is actually a pretty clever name for a CMS. Joomla being a re-spelling of the Swahili (and probably other Bantu languages) word Jumla, which can mean altogether, as a whole etc.
Ubuntu, while not Swahili per se, is another bantu word. I'm sure there are other OSS projects out there that have used the same tactic. It's a neat way to have meaning in a word that at the same time is completely unfamiliar to almost all people in Asia, Europe and the Americas.
"Cheeze it!" - Bender
I have a trick for making joomla ultra-secure. After you set up joomla, recursively wget the entire site, put the resulting files in the DocumentRoot and delete Joomla. It's amazing *just* how much more secure that is!
that's no troll just joke ... have a nice day :)
rm -rf /var/www/myjoomlasite
The core's not the problem, but the 3rd-party add-ons can hurt you badly.
Check out http://milw0rm.com/ and do a quick search for Joomla and see why.
body massage!
Face it, joomla is just the most insecure popular cms out there. On my company page we typically register dozens of automated attacks for joomla (no, we don't even use it, but bots still try to inject some code for joomla blindly on any page).
Extreme Programming - Redundant Array of Inexpensive Developers
"Most insecure popular CMS out there" - That's a crazy assertion - measuring insecurity by the number of automated attacks?
If you look at milw0rm there may seem to be a number of reported vulnerabilities, but they are almost completely due to 3rd party extensions, most of which I have never heard of. And that's not surprising considering there are over 4400 3rd party extensions listed on the extensions.joomla.org site.
Modern (1.5) Joomla has come a long way and a lot of attention is being paid to security issues. One of the main mistakes people make is to install a whole bunch of 3rd party extensions that they don't understand, and have no idea how to evaluate.
Stephen Brandon
I have been working in Joomla websites since the mambo days. Joomla is an excellent web system and security is very critical. Having a hosting provider is not enough. You need to have a webmaster who can be your web administrator or your guy who has already solved the problem you come across. The books that have been reviewed lately regarding Joomla are excellent ways to break right through steep learning curves. Writing your own extension to start with might be a little complicated. Learning how to manage content and using each type of extension should be initial building blocks. Having low confidence in security is not a problem if you have a continuous backup system. The installation process can be automated or done manually. I am a student for the next 3 months, when summer starts I plan on providing my years of mambo/joomla CMS knowledge to as many people as possible. My goal is to help people become self-reliant CMS operators, who will build applications that many people will use. The demand for application administrators is very high. However, Joomla is only a framework and high quality content still needs to be produced and an evangelist must still bring a strong concept to the website. The security portion of a business plan utilizing the Joomla framework is less necessary if you have the correct infrastructure.