Slashdot Mirror
Joomla! Web Security
Stephen Brandon writes "It used to be that to set up a database-backed web site required at least a server guy, a database administrator, a programmer, and a designer. Joomla! and other modern CMS systems have opened the door to allow non-administrators to be able to set up complete e-commerce or informational sites, using great free software and easy-to-find commercial hosting. What then of security? A new book by Tom Canavan, Joomla Web Security, aims to bridge the knowledge gap, introducing Joomla! admins to a set of security tools, and skills sometimes found lacking in the Joomla! community." Read on for the rest of Stephen's review.
Joomla! Web Security
author
Tom Canavan
pages
248
publisher
Packt Publishing
rating
7
reviewer
Stephen Brandon
ISBN
1847194885 and 978-1-847194-88-6
summary
Useful but needs more Joomla! 1.5-specific content
Joomla! Web Security is Packt Publishing’s eighth Joomla! title, and they are to be congratulated for providing much-needed documentation for Open Source projects. Written by Tom Canavan and published in October 2008, it can be found under ISBN 1847194885 and 978-1-847194-88-6.
According to the back cover, this book is written for “anyone seriously using Joomla! for any kind of business With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.” Prior knowledge of Joomla is assumed, but prior knowledge of securing websites is not.
Why bother with a book on Joomla! security? In my experience, many people come to Joomla! from a design and content perspective. They are not server gurus, just people who know enough about design to select a good-looking template, then organize suitable content to meet the informational and marketing needs of the organization or business for whom they work.
Template – content – web host – the new site is up and running in short order. The first time the site goes down or the site is hacked however, such a site designer/administrator may well be struggling as the back cover quote suggests.
Although this volume is the only current one that I could find concentrating on Joomla! security, the Joomla! team does have a dedicated Security Task Force, and a fair amount of security information starting from http://docs.joomla.org/. The information on joomla.org, while comprehensive, is not as in-depth as most of the information in Joomla! Web Security.
Written in the author’s chatty, easy-to-read style, chapter 1 covers a lot of basics of Joomla! security, from checking that the installation files have not been tampered with, to choosing hosting, some php and apache settings, permissions, and setting up security metrics.
Given that the choice of hosting is one of the most crucial decisions determining site security and uptime, the author chooses to concentrate on some unexpected angles. Granted, the checklist of physical security is comprehensive (“Is there water detection under this raised floor? Do you have a man-trap entrance to the building?”), but the target audience might be better served by a similarly comprehensive checklist of how to choose safer shared hosting. Notable by its absence was any mention of suPHP, PhpSuExec (see tutorial) or any similar scheme for running PHP files under the ownership of the account-holder rather than the standard httpd or nobody user. Without this, any other client on your shared hosting can read your database credentials and almost certainly gain read-write access to your database — with it, clients on shared hosting are much more efficiently segregated, making shared hosting a more viable option for less security-critical installations.
Absent too was mention of Joomla! 1.5’s FTP layer. Whilst in Joomla! 1.0 you needed to set 777 permissions in order to install extensions or upload images and files via Joomla!, the FTP layer allows Joomla! to FTP these files to itself, maintaining a tighter permissions structure in the absence of suPHP or PhpSuExec.
The section “Setting Up Security Metrics” however shows the author’s strengths. This, chapter 2 “Test and Development” and chapter 10, “Incident Management”, prescribe a methodical approach to security, ensuring that you are well-prepared for any eventuality. For the more mission-critical of the sites that I administer, this has prompted me to review my procedures, but I suspect that these are chapters that will be glossed over by a majority of the target audience.
It’s this sort of dichotomy that mars the book slightly for me. What I would like to give to the Joomla! webmasters that I support as part of my day-job is a book that clearly explains common issues in the installation and administration of Joomla!. Joomla! Web Security seems to promise this, but isn’t willing to provide all the detail required by the less-experienced (no mention of what numerical file permissions actually mean, nor how to obtain the MD5 checksum of a file you downloaded), and seems a little too eager to jump up to higher-level management issues, as worthy as these topics are. And why is there a mini-tutorial on how to use the software development management system Lighthouse, when there are barely any step by step instructions with screenshots on specifically Joomla! topics anywhere in the book?
On a positive note, chapter 3’s “Tools” introduced me to some previously-unknown packages as well as some old friends. Every Joomla! administrator should become familiar with these: HISA (J! 1.0 only), the Joomla! Tools Suite (J!1.5 only in legacy mode), Joomla! Diagnostics (some problems on J!1.5), JCheck (J!1.5 only works in cron mode). The obvious issue is that many of these don’t operate fully or at all for Joomla! 1.5. The sections on NMAP, Wireshark, Metasploit and Nessus however are well written and relevant.
If anyone needs convincing that the threats to a Joomla! site are real, point them to the central chapters of this book. Here Tom Canavan lays out “How the Bad Guys Do It”, and details the anatomy of attacks. This is a real eye-opener and should be required reading for any budding site administrator. It’s good to see a checklist of further topics for study (p. 144).
Finally we return to more specifically Joomla! topics. A section of recipes for .htaccess and php.ini files covers such useful topics as apache’s mod_redirect, password protection and access control. The “Log Files” chapter is pleasingly Joomla!-specific and also covers some logfile analysis tools.
Joomla! Web Security is rounded off with an appendix summarizing some of the key points of the book, and listing port numbers, apache status codes and TLD domain codes. The list of critical settings for .htaccess and php.ini is prescriptive and useful in this format.
While writing this review I noticed that the author has written a previous volume on a similar topic: Dodging the Bullets — A Disaster Preparation Guide for Joomla! Based Websites. Critical reviews of that book suggested that it was aimed towards the larger corporate user of Joomla!, and held little for the Joomla! administrator who simply needed to know and understand the settings and tools required for site security. This volume redresses the balance somewhat, with more hands-on advice, and I would recommend it over Dodging the Bullets for the average Joomla! administrator.
Though Joomla! Web Security is a worthwhile addition to a Joomla! bookshelf, my wish would still be for an even more practical guide, particularly one addressing J!1.5 developments and going into much more detail about selecting a hosting partner. Even without this, however, there is a ton of good information here and I recommend the book.
Availability: On the publisher’s web page for this book you will find the TOC, general introduction, a link to the sample chapter, code download, and facilities for on-line purchase. Various discounts and bundles (including Adobe e-book) are offered on the site; hard copies are also available through Barnes and Noble and other usual channels.
Stephen Brandon is author of the popular MetaMod Joomla! module and web manager for an international non-profit organization."
You can purchase Joomla! Web Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
According to the back cover, this book is written for “anyone seriously using Joomla! for any kind of business With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.” Prior knowledge of Joomla is assumed, but prior knowledge of securing websites is not.
Why bother with a book on Joomla! security? In my experience, many people come to Joomla! from a design and content perspective. They are not server gurus, just people who know enough about design to select a good-looking template, then organize suitable content to meet the informational and marketing needs of the organization or business for whom they work.
Template – content – web host – the new site is up and running in short order. The first time the site goes down or the site is hacked however, such a site designer/administrator may well be struggling as the back cover quote suggests.
Although this volume is the only current one that I could find concentrating on Joomla! security, the Joomla! team does have a dedicated Security Task Force, and a fair amount of security information starting from http://docs.joomla.org/. The information on joomla.org, while comprehensive, is not as in-depth as most of the information in Joomla! Web Security.
Written in the author’s chatty, easy-to-read style, chapter 1 covers a lot of basics of Joomla! security, from checking that the installation files have not been tampered with, to choosing hosting, some php and apache settings, permissions, and setting up security metrics.
Given that the choice of hosting is one of the most crucial decisions determining site security and uptime, the author chooses to concentrate on some unexpected angles. Granted, the checklist of physical security is comprehensive (“Is there water detection under this raised floor? Do you have a man-trap entrance to the building?”), but the target audience might be better served by a similarly comprehensive checklist of how to choose safer shared hosting. Notable by its absence was any mention of suPHP, PhpSuExec (see tutorial) or any similar scheme for running PHP files under the ownership of the account-holder rather than the standard httpd or nobody user. Without this, any other client on your shared hosting can read your database credentials and almost certainly gain read-write access to your database — with it, clients on shared hosting are much more efficiently segregated, making shared hosting a more viable option for less security-critical installations.
Absent too was mention of Joomla! 1.5’s FTP layer. Whilst in Joomla! 1.0 you needed to set 777 permissions in order to install extensions or upload images and files via Joomla!, the FTP layer allows Joomla! to FTP these files to itself, maintaining a tighter permissions structure in the absence of suPHP or PhpSuExec.
The section “Setting Up Security Metrics” however shows the author’s strengths. This, chapter 2 “Test and Development” and chapter 10, “Incident Management”, prescribe a methodical approach to security, ensuring that you are well-prepared for any eventuality. For the more mission-critical of the sites that I administer, this has prompted me to review my procedures, but I suspect that these are chapters that will be glossed over by a majority of the target audience.
It’s this sort of dichotomy that mars the book slightly for me. What I would like to give to the Joomla! webmasters that I support as part of my day-job is a book that clearly explains common issues in the installation and administration of Joomla!. Joomla! Web Security seems to promise this, but isn’t willing to provide all the detail required by the less-experienced (no mention of what numerical file permissions actually mean, nor how to obtain the MD5 checksum of a file you downloaded), and seems a little too eager to jump up to higher-level management issues, as worthy as these topics are. And why is there a mini-tutorial on how to use the software development management system Lighthouse, when there are barely any step by step instructions with screenshots on specifically Joomla! topics anywhere in the book?
On a positive note, chapter 3’s “Tools” introduced me to some previously-unknown packages as well as some old friends. Every Joomla! administrator should become familiar with these: HISA (J! 1.0 only), the Joomla! Tools Suite (J!1.5 only in legacy mode), Joomla! Diagnostics (some problems on J!1.5), JCheck (J!1.5 only works in cron mode). The obvious issue is that many of these don’t operate fully or at all for Joomla! 1.5. The sections on NMAP, Wireshark, Metasploit and Nessus however are well written and relevant.
If anyone needs convincing that the threats to a Joomla! site are real, point them to the central chapters of this book. Here Tom Canavan lays out “How the Bad Guys Do It”, and details the anatomy of attacks. This is a real eye-opener and should be required reading for any budding site administrator. It’s good to see a checklist of further topics for study (p. 144).
Finally we return to more specifically Joomla! topics. A section of recipes for .htaccess and php.ini files covers such useful topics as apache’s mod_redirect, password protection and access control. The “Log Files” chapter is pleasingly Joomla!-specific and also covers some logfile analysis tools.
Joomla! Web Security is rounded off with an appendix summarizing some of the key points of the book, and listing port numbers, apache status codes and TLD domain codes. The list of critical settings for .htaccess and php.ini is prescriptive and useful in this format.
While writing this review I noticed that the author has written a previous volume on a similar topic: Dodging the Bullets — A Disaster Preparation Guide for Joomla! Based Websites. Critical reviews of that book suggested that it was aimed towards the larger corporate user of Joomla!, and held little for the Joomla! administrator who simply needed to know and understand the settings and tools required for site security. This volume redresses the balance somewhat, with more hands-on advice, and I would recommend it over Dodging the Bullets for the average Joomla! administrator.
Though Joomla! Web Security is a worthwhile addition to a Joomla! bookshelf, my wish would still be for an even more practical guide, particularly one addressing J!1.5 developments and going into much more detail about selecting a hosting partner. Even without this, however, there is a ton of good information here and I recommend the book.
Availability: On the publisher’s web page for this book you will find the TOC, general introduction, a link to the sample chapter, code download, and facilities for on-line purchase. Various discounts and bundles (including Adobe e-book) are offered on the site; hard copies are also available through Barnes and Noble and other usual channels.
Stephen Brandon is author of the popular MetaMod Joomla! module and web manager for an international non-profit organization."
You can purchase Joomla! Web Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I used Joomla! (gotta love applications with punctuation in the name) extensively in the past for several sites, but wound up getting frustrated with the amount of effort I had to put into maintaining them. For the work involved, it ended up making more sense to roll a custom "mini-CMS" platform for a couple of sites, which fit the needs of their systems precisely without any extra cruft.
These days, when friends ask for an easy web publishing platform I simply set them up with a WordPress site on one of my servers.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Clearly, neither the author of the book, nor reviewer understand web security.
If you want to learn about securing web servers, why not read Ivan Ristic's Apache Security?
Apparently, from the topics discussed in this review, this book has nothing to do with writing secure applications using the Joomla Framework. Seriously, file permission? Using Nmap? Nessus? Talk about using the wrong tools for the job. Not even the Joomla Security page has anything do with actual web application security.
How about going over topics like secure session management, input validation, parameterized queries, output entity encoding, etc?
Take a clue from OWASP and skip this book.
... brought to you by the Department of Words That Don't Go Together.
Read my blog.
I found out the hard way when I did a half ass job at setting up Joomla! and not updating to the latest security patches. My website got redirected to a Russian website and the password to the database was scrambled. Had to redo everything. Make sure you enable FTP security, have a complex password for your admin/ftp/database accounts, and check your file permissions. Haven't had a problem since then.
I know your post was in jest, but you make a good point. A lot of folks are using CMS platforms to publish very simple websites, and wind up dealing with all sorts of security problems.
The issue stems from the fact that raw beginners don't have a good background in web development to start with, hence their need to use "point and click" publishing tools. While it's true that there's no such thing as a totally secure system, people rapidly find out that there's a lot more to safely hosting a company's website than clicking through a PHP installer page.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
This is the fifth Joomla book review in the past year. How many do we need? What is the hard-on Slashdot has for Joomla, seriously?
If you are going to be dealing with a site of that size with those requirements, Joomla is probably not what you want. (I would argue that Joomla is never what you want, because it sucks, but I digress.) I think you want Drupal.
Joomla content is just that--a blob of content. Title, body, section, category, done. Drupal allows you to define node types for your content using the Content Construction Kit (CCK), adding text fields, user-reference fields, images, even just files--so you can tie your PDF to a node and give it taxonomic tags on-the-fly, rather than Joomla's boneheaded section/category system (which does not support multiple tags). Creation of new pages is about the same in each, though I prefer Drupal's interface for management.
The one minus for Drupal is that for a small site it tends to be rather heavyweight, with a lot of database requests and modules that make it a bit slow. When on decent hardware, however, it's quite snappy, and Drupal scales up very well.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
OWASP is excellent and should be required study for anyone writing web applications...
m-wielgo is right on another point too - this book is not about writing secure applications using the Joomla framework. It's for people setting up Joomla web sites, not for programmers.
There are other books available on Joomla programming, including one published recently, and such information belongs in those books.
There are many aspects to security. Good programming practise is extremely important, and if the underlying CMS is badly coded then there's no point in trying to teach good sysadmin on top of it. I don't happen to think that this is such a problem with Joomla, especially recently. Some of the extensions are another matter. But when you have over 4400 extensions available for Joomla you can't assume all of them are well coded, and you need some skills to evaluate things before putting them into production on your site.
Another side of security is physical security - well covered in this book.
Another is about making good decisions in the whole process - choice of CMS, choice of hosting, choice of add-ons. Some of this is covered in this book.
Another is about contingency planning and corporate responsibility, angles that Tom Canavan addresses at length.
And so the list goes on.
When there are so few books available to train budding Joomla admins, I think the choice of angle to take in a book is very important. What's going to help the most people get up to speed on good solid security practises, and avoid the greatest number of security incidents?
I need my admins to know about apache setup/security. File permissions. PhpSuExec etc. Good passwords. HTTP Basic Auth and SSL for admin tasks. Choosing a good host. How to evaluate Joomla extensions. Good backup procedures. Logging and how to read logs. Testing. Recognising attacks. Knowing when to fix symptoms vs when to reinstall from scratch and/or move hosting.
Many of these are covered in this book (to some degree), and for that I say it's useful. At the very least it's a good start, as a lot of the skills mentioned come with practise and experience.
Stephen Brandon