Book Image

Joomla! Web Security

Book Image

Joomla! Web Security

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Joomla! Web Security
Oct, 2008 | 264 pages
No titles found
Table of Contents (16 chapters)
Joomla! Web Security
Joomla! Web Security
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
Preface
Preface
Free Chapter
1
Let's Get Started
Let's Get Started
Introduction
Common Terminology
Hosting—Selection and Unique Needs
Architecting for a Successful Site
Downloading Joomla!
.htaccess
Permissions
Common Trip Ups
Setting Up Security Metrics
Summary
2
Test and Development
Test and Development
Welcome to the Laboratory!
Reporting
Using the Ravenswood Joomla! Server
Summary
3
Tools
Tools
Introduction
Tools, Tools, and More Tools
Summary
4
Vulnerabilities
Vulnerabilities
Introduction
Importance of Patching is Paramount
What is a Vulnerability?
End Users
Summary
5
Anatomy of Attacks
Anatomy of Attacks
Introduction
SQL Injections
Remote File Includes
Summary
6
How the Bad Guys Do It
How the Bad Guys Do It
Laws on the Books
Acquiring Target
Sizing up the Target
Vulnerability Tools
Finding Targets to Attack
What Do I Do Then?
Countermeasures
Closing Words
Summary
7
php.ini and .htaccess
php.ini and .htaccess
.htaccess
php.ini
Summary
8
Log Files
Log Files
What are Log Files, Exactly?
Learning to Read the Log
Log File Analysis
Care and Feeding of Your Log Files
Tools to Review Your Log Files
Summary
9
SSL for Your Joomla! Site
SSL for Your Joomla! Site
What is SSL/TLS?
Process Steps for SSL
Performance Considerations
Other Resources
Summary
10
Incident Management
Incident Management
Creating an Incident Response Policy
Developing Procedures Based on Policy to Respond to Incidents
Summary
Security Handbook
Security Handbook
Security Handbook Reference
General Information
Tools
Ports
Logs
List of Critical Settings
General Apache Information
List of Ports
Summary

Common Trip Ups

While an entire volume could be filled with common mistakes, we'll focus on a few of them here. They are presented here in no particular order.

Failure to Check Vulnerability List First

One big problem comes in if you are using a component that is vulnerable. To start with, why would we deliberately set up our site to be broken into? A quick review of the current vulnerability list shows at the time of writing of over sixty known vulnerable extensions.

Here is one chosen at random known as AutoStand. I followed the link listed in Joomla! and found the security site FrSIRT. They list this as a critical exploit.

Advisory ID : FrSIRT/ADV-2007-1392

CVE ID : CVE-2007-2319

Rated as : High Risk Remotely Exploitable : Yes

Locally Exploitable : Yes

Release Date : 2007-04-16

A vulnerability has been identified in AutoStand (module for Joomla), which could be exploited by remote attackers to execute arbitrary commands. This issue is caused by an input validation error in the "mod_as_category.php" script that does not validate the "mosConfig_absolute_path" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

Affected Products:

AutoStand (module for Joomla) version 1.1 and prior

Solution:

The FrSIRT is not aware of any official supplied patch for this issue.

References:

http://www.frsirt.com/english/advisories/2007/1392

According to this alert, Autostand version 1.1. and prior is vulnerable, and this advisory mentions that at the time of writing there was not a fix. To be fair, by the time this book comes to print, it is likely that it will have been taken care of. What is important is that we can see there is a highly critical vulnerability (see frsirt.com advisory for severity level). The actual nature of this attack is input validation, meaning, the programmer for this particular version did not properly sanitize the user's input. If I were "Johnny Craxbox" the kiddie script guy from somewhere in the world, I might pass arbitrary commands to the system such as the following: 

 rm -rf *

Whether this would work or not is unknown, but please do not try it, and it's most likely that it will be unknown to the cracker. But if it did pass through with the privileges of the web server, then I have instructed the server in the last part to delete the entire web document tree. Not a good thing to say the least. These vulnerabilities are almost always known to the bad guys before they are known by the good guys, or even the author of the application. Checking the third-party vulnerability list is not only easy and quick, it's simply a very good idea. To fail to check the list is tantamount to laziness. Take off a few minutes right now and bookmark this location:

Note

Tip to check the third-party Vulnerability list from Joomla.org.

http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/

Register Globals, Again

As discussed earlier, having Register Globals enabled is a huge problem. This is so prevalent that a search on the Joomla! forums will turn up multiple instances of this repeated offense.

Permissions

Seeing 777 may be lucky if you're in Las Vegas, but it's hell to pay on your site. We discussed the correct permissions settings earlier, but it bears mentioning them here again. If you have made all your directories and files 777, then get a backup, sit back, and wait to start your restore.

Poor Documentation

While this may be a bit out of the scope with this book, writing down your database settings can be invaluable in an emergency situation. If you are cracked, you may need to reference the authentication information quickly. Write it down! Store it in a safe place.

Got Backups?

Surprisingly few people have backups much less practice backing up, preparing a plan, or testing the plan. DO NOT let this simple action keep you from doing it. Back up.

There are several ways to go about backing up. You have to choose the method that works best for you, but whatever method you choose, it must have the following elements in it:

  • Ability to capture directory structures, files, permissions, and database.

  • Ability to lay your hands on it quickly.

  • It must work when restoring is needed.

  • It must be fresh and up-to-date.

  • Establish a multi-session backup scheme. You should have three to four weekly rolling backups. That way if you were cracked in week two of the month, but you know week one is good, you have that copy.

  • You need a standard enumeration method (fancy word for naming) for your backups.

  • You should practice restoring a few times to make sure you have it.

If you do these simple things you are going to be way ahead of the pack.

Note

Disaster Recovery and Business Continuity

This topic is beyond the scope of this book. However, one key question to ask your prospective host, shared, dedicated or co-location is, "Who does the backups?", "How can you get them restored?", and "What is the cost and time to restore?". You will be shocked to learn that in quite a few cases you will be expected to back up your own data and take it off site. For a more detailed discussion of this topic, the reader is encouraged to read the author's disaster recovery book: Dodging the Bullets, a Disaster Preparation Guide for Joomla! Web Sites. Or take the time to research and set up a good, solid back up, and recovery plan.

Previous Section
End of Section 9
Next Section