Joomla! Web Security

Stephen Brandon writes "It used to be that to set up a database-backed web site required at least a server guy, a database administrator, a programmer, and a designer. Joomla! and other modern CMS systems have opened the door to allow non-administrators to be able to set up complete e-commerce or informational sites, using great free software and easy-to-find commercial hosting. What then of security? A new book by Tom Canavan, Joomla Web Security, aims to bridge the knowledge gap, introducing Joomla! admins to a set of security tools, and skills sometimes found lacking in the Joomla! community." Read on for the rest of Stephen's review.

Joomla! Web Security
author	Tom Canavan
pages	248
publisher	Packt Publishing
rating	7
reviewer	Stephen Brandon
ISBN	1847194885 and 978-1-847194-88-6
summary	Useful but needs more Joomla! 1.5-specific content

Joomla! Web Security is Packt Publishing’s eighth Joomla! title, and they are to be congratulated for providing much-needed documentation for Open Source projects. Written by Tom Canavan and published in October 2008, it can be found under ISBN 1847194885 and 978-1-847194-88-6.

According to the back cover, this book is written for “anyone seriously using Joomla! for any kind of business With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.” Prior knowledge of Joomla is assumed, but prior knowledge of securing websites is not.

Why bother with a book on Joomla! security? In my experience, many people come to Joomla! from a design and content perspective. They are not server gurus, just people who know enough about design to select a good-looking template, then organize suitable content to meet the informational and marketing needs of the organization or business for whom they work.

Template – content – web host – the new site is up and running in short order. The first time the site goes down or the site is hacked however, such a site designer/administrator may well be struggling as the back cover quote suggests.

Although this volume is the only current one that I could find concentrating on Joomla! security, the Joomla! team does have a dedicated Security Task Force, and a fair amount of security information starting from http://docs.joomla.org/. The information on joomla.org, while comprehensive, is not as in-depth as most of the information in Joomla! Web Security.

Written in the author’s chatty, easy-to-read style, chapter 1 covers a lot of basics of Joomla! security, from checking that the installation files have not been tampered with, to choosing hosting, some php and apache settings, permissions, and setting up security metrics.

Given that the choice of hosting is one of the most crucial decisions determining site security and uptime, the author chooses to concentrate on some unexpected angles. Granted, the checklist of physical security is comprehensive (“Is there water detection under this raised floor? Do you have a man-trap entrance to the building?”), but the target audience might be better served by a similarly comprehensive checklist of how to choose safer shared hosting. Notable by its absence was any mention of suPHP, PhpSuExec (see tutorial) or any similar scheme for running PHP files under the ownership of the account-holder rather than the standard httpd or nobody user. Without this, any other client on your shared hosting can read your database credentials and almost certainly gain read-write access to your database — with it, clients on shared hosting are much more efficiently segregated, making shared hosting a more viable option for less security-critical installations.

Absent too was mention of Joomla! 1.5’s FTP layer. Whilst in Joomla! 1.0 you needed to set 777 permissions in order to install extensions or upload images and files via Joomla!, the FTP layer allows Joomla! to FTP these files to itself, maintaining a tighter permissions structure in the absence of suPHP or PhpSuExec.

The section “Setting Up Security Metrics” however shows the author’s strengths. This, chapter 2 “Test and Development” and chapter 10, “Incident Management”, prescribe a methodical approach to security, ensuring that you are well-prepared for any eventuality. For the more mission-critical of the sites that I administer, this has prompted me to review my procedures, but I suspect that these are chapters that will be glossed over by a majority of the target audience.

It’s this sort of dichotomy that mars the book slightly for me. What I would like to give to the Joomla! webmasters that I support as part of my day-job is a book that clearly explains common issues in the installation and administration of Joomla!. Joomla! Web Security seems to promise this, but isn’t willing to provide all the detail required by the less-experienced (no mention of what numerical file permissions actually mean, nor how to obtain the MD5 checksum of a file you downloaded), and seems a little too eager to jump up to higher-level management issues, as worthy as these topics are. And why is there a mini-tutorial on how to use the software development management system Lighthouse, when there are barely any step by step instructions with screenshots on specifically Joomla! topics anywhere in the book?

On a positive note, chapter 3’s “Tools” introduced me to some previously-unknown packages as well as some old friends. Every Joomla! administrator should become familiar with these: HISA (J! 1.0 only), the Joomla! Tools Suite (J!1.5 only in legacy mode), Joomla! Diagnostics (some problems on J!1.5), JCheck (J!1.5 only works in cron mode). The obvious issue is that many of these don’t operate fully or at all for Joomla! 1.5. The sections on NMAP, Wireshark, Metasploit and Nessus however are well written and relevant.

If anyone needs convincing that the threats to a Joomla! site are real, point them to the central chapters of this book. Here Tom Canavan lays out “How the Bad Guys Do It”, and details the anatomy of attacks. This is a real eye-opener and should be required reading for any budding site administrator. It’s good to see a checklist of further topics for study (p. 144).

Finally we return to more specifically Joomla! topics. A section of recipes for .htaccess and php.ini files covers such useful topics as apache’s mod_redirect, password protection and access control. The “Log Files” chapter is pleasingly Joomla!-specific and also covers some logfile analysis tools.

Joomla! Web Security is rounded off with an appendix summarizing some of the key points of the book, and listing port numbers, apache status codes and TLD domain codes. The list of critical settings for .htaccess and php.ini is prescriptive and useful in this format.

While writing this review I noticed that the author has written a previous volume on a similar topic: Dodging the Bullets — A Disaster Preparation Guide for Joomla! Based Websites. Critical reviews of that book suggested that it was aimed towards the larger corporate user of Joomla!, and held little for the Joomla! administrator who simply needed to know and understand the settings and tools required for site security. This volume redresses the balance somewhat, with more hands-on advice, and I would recommend it over Dodging the Bullets for the average Joomla! administrator.

Though Joomla! Web Security is a worthwhile addition to a Joomla! bookshelf, my wish would still be for an even more practical guide, particularly one addressing J!1.5 developments and going into much more detail about selecting a hosting partner. Even without this, however, there is a ton of good information here and I recommend the book.

Availability: On the publisher’s web page for this book you will find the TOC, general introduction, a link to the sample chapter, code download, and facilities for on-line purchase. Various discounts and bundles (including Adobe e-book) are offered on the site; hard copies are also available through Barnes and Noble and other usual channels.

Stephen Brandon is author of the popular MetaMod Joomla! module and web manager for an international non-profit organization."

You can purchase Joomla! Web Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Re:

[paimin]

Mod me flamebait all you want, the Drupal-vs-Joomla "there can be only one" pissing contest is for babies. If you can't see that these two packages target completely different sets of needs, and that they are co-existing just fine, pull your head out.

Personal preference.

[palegray.net]

I used Joomla! (gotta love applications with punctuation in the name) extensively in the past for several sites, but wound up getting frustrated with the amount of effort I had to put into maintaining them. For the work involved, it ended up making more sense to roll a custom "mini-CMS" platform for a couple of sites, which fit the needs of their systems precisely without any extra cruft.

These days, when friends ask for an easy web publishing platform I simply set them up with a WordPress site on one of my servers.

Re:

[JCSoRocks]

I ran into a similar problem recently myself. I needed to create a small site where only a few of the pages needed CMS functionality. Only the owners of the site would be updating the content. I looked into Joomla! and Drupal as well as a handful of others but they all just seemed like too much for what I was trying to accomplish. By the time you dig through them and then finally get them skinned they way you want you might as well have just written your own (which is what I ended up doing).

Has anyone els

Re:Personal preference.

[0racle]

framework for authentication, forms based data manipulation, and (obviously) skinnable data presentation

Django might be an option. It is not a CMS, it is just a framework but if you really ended up writing your own CMS this shouldn't scare you and in many cases, Django will probably make the job easier.

Re:

[p0]

Rails too...

Re:

[wwwillem]

Same experience here. Joombla and Drupal are great CMS systems, but not something that as a web developer at the end of the project you can hand over to your "non IT" client.

I ended up using "CMS Made Simple" [cmsmadesimple.org]. The name is of course absolutely horrific, but the same can be said for MySQL :-) .

For me it provided the right amount of customization options, but on the other end, non-IT folks (like my customer's secretary) are able to add new pages and other content. OK, to "start from scratch" will probably be a

Re:

[Low Ranked Craig]

I never use a program with an "!" in the title.

I agree with you 100%. I find that, in general, it's less work and more maintainable to simply create the tables the customer needs for their specific site and code it up in PHP, using a library of common functions I've built over the years. I give them a tailored back end admin console, that is very specific to their site and content, generally using something like PHPMaker.

Re:

[spun]

Have you used 1.5? It gets rid of the cruft, as everything in Joomla is now a module. It also makes maintenance easier, as there is no core for modules to trample on, just a container using inversion of control.

That being said, I agree that for most personal websites, Joomla is overkill and WordPress will work just fine.

Re:

[palegray.net]

I have used 1.5, actually. I agree that it's a vast improvement over the way things were done before.

Re:

[mckinnsb]

I used Joomla! (gotta love applications with punctuation in the name) extensively in the past for several sites, but wound up getting frustrated with the amount of effort I had to put into maintaining them. For the work involved, it ended up making more sense to roll a custom "mini-CMS" platform for a couple of sites, which fit the needs of their systems precisely without any extra cruft. These days, when friends ask for an easy web publishing platform I simply set them up with a WordPress site on one of m

Poll ...

[Rhabarber]

Who else hate the embedded exclamation mark ?

Re:

[Rhabarber]

Yea, I know, s/hate/hates/

Re:

[harry666t]

I do.

Especially since my day job mostly involves maintaining a website based on Joomla.

Hey, modder,

[Rhabarber]

that's no troll just joke ... have a nice day :)

Re:

[Yetihehe]

My job involves installing other cms's for clients which formerly used joomla ;). Typically I use typo3. It's very neat. I've also tried drupal and expublish. Drupal is ok, ezpublish for me was the best idea, but it was so overbloated and slow running, that one client who really wanted it, after everything was finally done generated static html and served it instead.

Yawn. Nothing to do with Joomla OR web security

[m-wielgo]

Clearly, neither the author of the book, nor reviewer understand web security.

If you want to learn about securing web servers, why not read Ivan Ristic's Apache Security?

Apparently, from the topics discussed in this review, this book has nothing to do with writing secure applications using the Joomla Framework. Seriously, file permission? Using Nmap? Nessus? Talk about using the wrong tools for the job. Not even the Joomla Security page [joomla.org] has anything do with actual web application security.

How about going over topics like secure session management, input validation, parameterized queries, output entity encoding, etc?

Take a clue from OWASP [owasp.org] and skip this book.

Re:

[metamodguy]

OWASP is excellent and should be required study for anyone writing web applications...

m-wielgo is right on another point too - this book is not about writing secure applications using the Joomla framework. It's for people setting up Joomla web sites, not for programmers.

There are other books available on Joomla programming, including one published recently, and such information belongs in those books.

There are many aspects to security. Good programming practise is extremely important, and if the underlying

Re:

[Yetihehe]

Face it, joomla is just the most insecure popular cms out there. On my company page we typically register dozens of automated attacks for joomla (no, we don't even use it, but bots still try to inject some code for joomla blindly on any page).

Most insecure popular CMS? I don't think so!

[metamodguy]

"Most insecure popular CMS out there" - That's a crazy assertion - measuring insecurity by the number of automated attacks?

If you look at milw0rm there may seem to be a number of reported vulnerabilities, but they are almost completely due to 3rd party extensions, most of which I have never heard of. And that's not surprising considering there are over 4400 3rd party extensions listed on the extensions.joomla.org site.

Modern (1.5) Joomla has come a long way and a lot of attention is being paid to security i

_!_

[Lord Ender]

Out of principle, I refuse to use any product with an exclamation point its name. Join me, and let's fight this marketing evil together.

Re:

[MightyYar]

Some of you guys get hung up on the funniest things :)

Then again, people find it weird that I've decided to boycott 'k' for being redundant. That a whole different cettle of fish, though.

Re:

[Samschnooks]

Out of principle, I refuse to use any product with an exclamation point its name. Join me, and let's fight this marketing evil together.

I'm starting a movement to get rid of the _@_ symbol. This has worked with other symbols on products. Most notably the '*' with the Pentax' "*ist" line of cameras. Everybody hated that name! I'd like to sign up as an ally organization for banning '@', '!' and the '&' in product names. We may get the guys who were against the '*' reactivated and the guys against '#'. Unfortunately, the cartoonists have will give us some grief because their livelihoods depend on "^%$*^&&@$&%". So expect the

Re:

[Mozk]

Heh, the General Mills symbol is a cursive G, not an ampersand.

Seriously, let's just ban cursive, and not just in product names. For FSM's sake, nobody uses it, schools don't teach it anymore, and it looks pretentious.

Re:

[InlawBiker]

I'm with you my brother. Email me on my Yahoo! account.

If it makes me feel stupid to say it out loud...

[AmazingRuss]

...I'm probably not going to use it.

Re:

[palegray.net]

I know your post was in jest, but you make a good point. A lot of folks are using CMS platforms to publish very simple websites, and wind up dealing with all sorts of security problems.

The issue stems from the fact that raw beginners don't have a good background in web development to start with, hence their need to use "point and click" publishing tools. While it's true that there's no such thing as a totally secure system, people rapidly find out that there's a lot more to safely hosting a company's web

Joomla! Security

[jalefkowit]

... brought to you by the Department of Words That Don't Go Together.

Re:

[CompMD]

"Joomla! Web Security"

This must be either the shortest or longest book ever written, I can't decide which.

Re:

[palegray.net]

Neither can the author, apparently. Books like this are the dead-tree equivalent of "blogging for dollars" IMHO.

Re:

[Swampash]

Ever since my employer's corporate site was hacked and defaced by attackers who got in via a bug in Joomla, I've pretty much thought of Joomla and security as mutually-exclusive concepts.

Re:

[palegray.net]

You're blaming a programming language and database platform for large-scale security issues? The vast majority of security incidents are clearly traced back to programmers failing to practice basic safe coding techniques. You can write crappy, insecure code in any language, linking to any given database, running on any given platform.

Re:

[palegray.net]

C encourages stupid behavior, yet mysteriously remains the most commonly used programming language in terms of lines of code on the planet. Odd.

Re:

[magsol]

Actually, it doesn't. It assumes the programmer knows what they're doing and gives them free reign to do just that. It doesn't take a whole lot of screwing up for the application to go haywire a la segfault, bus errors, etc.

Stupid behavior, on the other hand, encourages stupid behavior, and picking a language which assumes you know what you're doing when you actually don't is the true mistake.

Ok Joomla fans, sell me

[snowwrestler]

I've previously asked here for feedback on Joomla [slashdot.org], and got some comments that gave me pause. I'd love to hear more from people who like Joomla (are you out there??). One complaint was that Joomla extensions often cost money, but I don't mind spending money if it will do what we need. So set cost aside please.

I need a CMS because many in my organization are not tech-savvy but need to update page content--and we've got thousands of pages. I do not want to code up my own CMS--too slow and costly. I'd much pref

Re:

[J05H]

Joomla is an excellent choice for publishing by non-technical staff. Personally i'd rather dig my eyes out with a spoon than work in Drupal. Haven't done much with Plone but Zope used to be tons of fun despite the learning curve. Not recommended for the non-technical.

Re:

[snowwrestler]

What specifically do you not like about Drupal? Thanks.

Re:

[micheas]

What specifically do you not like about Drupal? Thanks.

A user interface that makes kittens cry? (That is a description by one of the core drupal developers about one of the admin screens.)

Drupal's user interface has gotten a lot better lately, and in 6.0 is approaching not bad and if any one is looking at drupal for the first time I would recommend Acquia's version of drupal it has a lot of the drupal annoyances papered over but is not a fork but drupal with a nice set of extensions that you were going to spend a couple weeks tracking down and installing.

Re:

[J05H]

played with it once and hated the structure. Not sure what the turn-off was, but didn't like it, summary judgement.

Re:

[FishWithAHammer]

If you are going to be dealing with a site of that size with those requirements, Joomla is probably not what you want. (I would argue that Joomla is never what you want, because it sucks, but I digress.) I think you want Drupal.

Joomla content is just that--a blob of content. Title, body, section, category, done. Drupal allows you to define node types for your content using the Content Construction Kit (CCK), adding text fields, user-reference fields, images, even just files--so you can tie your PDF to a nod

Re:

[drinkypoo]

The big minus for Drupal is upgrades. It's easy to get comfortable with a series of modules, then have the developers abandon them and have to seek a replacement when a major Drupal revision hits. And the next Drupal revision is a doozy, it's going to make changes that make the D5 to D6 transition look like a point release. I think Drupal is fantastic but I would be hard-pressed to recommend it to anyone until a little while after the release of D7.

Re:

[FishWithAHammer]

Depends on the website, though. I mean, D6 will be supported for quite a long time anyway, and some modules just may never upgrade to D7 because of the enormity of it.

Drupal's upgradability from module version to module version, though, really kind of sucks. Manual administration in 2009? Untarring the damn files by hand? what the hell?

Re:

[Slorv]

We have some 50+ Joomla sites set up for all kind of groups from student projects and research documentation to plain courses in web design for testing.

The framework works great for our needs. I can't think of anything we haven't been able to do, neither function wise or design wise. But yeah the very square section/categories thing is the first we skip.

The only immidiate negative thing I can think of is the stuborn use of tables even in the smallest of modules. That makes details in your design pretty lock

Re:

[AlXtreme]

The site will be almost entirely content. It will need to be updated by non-technical staff, specifically uploading PDFs, creating new pages, and applying tags from multiple fixed taxonomies. It will need to handle user accounts and control editing permissions down to the page level. We do our own design so theming should be too hard, and the more flexible in content placement the better.

I'd go for either Drupal or MODx. Personally I find the latter is much better at large sites (I've done deployments with

Re:

[specific_pacific]

The 'multiple category' thing Joomla can't do without additional component (paid - jACL or Juga or something). The rest it can - called DocMan. It can integrate with this ACL sublayer and Joomla will read it as well. So you will have to go with Drupal if you don't want to pay and install about 10 modules to get the same functionality including a WYSIWYG editor and media control.

You'll then spend more time theming the admin interface, setting up those 10 components to work with roles and worrying about wh

Re:

[micheas]

The site will be almost entirely content. It will need to be updated by non-technical staff, specifically uploading PDFs, creating new pages, and applying tags from multiple fixed taxonomies. It will need to handle user accounts and control editing permissions down to the page level. We do our own design so theming should be too hard, and the more flexible in content placement the better.

Thanks in advance.

As a big Joomla! fan I would not recommend you use Joomla unless you are planning on checking out 1.6 from subversion.

Plone has the highest learing curve of Drupal, Joomla!, and Plone., but it requires no tweaking to get what you need.

Plone does all of those thing out of the box.

Because Plone uses Zope instead of MySQL your PDF's will be objects that can have attributes http://www.example.com/mypdf.pdf [example.com] can have the attribute http://www.example.com/mypdf.pdf/copyright.html [example.com]

Skinning Plone is harder than Jooml

Double check your security settings...

[__aaclcg7560]

I found out the hard way [creimer.ws] when I did a half ass job at setting up Joomla! and not updating to the latest security patches. My website got redirected to a Russian website and the password to the database was scrambled. Had to redo everything. Make sure you enable FTP security, have a complex password for your admin/ftp/database accounts, and check your file permissions. Haven't had a problem since then.

Re:

[bmd256]

If you did not half ass setting up Joomla!, I am sure the problems you had would not have happened in the first place. When setting up a site with Joomla! or any CMS for that matter, security should be one of your primary concerns.

Re:

[__aaclcg7560]

My rationale at the time was... I'll come back to this shortly because I don't understand how this works and don't have the time to figure this out now. Ten months later my website got hacked. AFAIK, There's no "Joomla! For Dummies" out yet.

Re:

[fava]

Actually there is:

http://www.amazon.com/Joomla-Dummies-Computer-Tech/dp/047043287X [amazon.com]

Re:

[cenc]

yea, I seen a novice account holder on one of my servers made the same permissions mistake and got hacked by the Russians. I run several dozen domains with joomla myself, both old and new versions, without a problem for years.

Basic web site security 101 rules will keep it safe, even when security bugs appear.

The nature of the structure of modules really does not lend itself to auto updates however. I can not really say the same thing for PHPbb either or many other CMS like web systems.

They are too easy for

ANOTHER Joomla book review?

[snarfies]

This [slashdot.org] is [slashdot.org] the [slashdot.org] fifth [slashdot.org] Joomla book review in the past year. How many do we need? What is the hard-on Slashdot has for Joomla, seriously?

Re:

[HartDev]

Joomla! is a pretty rocking little CMS you got to admit.

Re:

[Anonymous Coward]

Yes and Windows ME was a pretty rocking little OS you gotta admit. If you don't know what the fuck you are talking about, that is.

Re:

[Anonymous Coward]

Hell, I welcome joomla news. Joomla is how I make my living. I dont bitch about the fact there is some stupid article about the iphone every other day.

Re:

[Anonymous Coward]

I can understand getting upset over a lack of reviews on a certain topic. But getting upset that Joomla books get reviewed every so often?

You not only took the time to come here but also took the time to comment! Just skip it.

I like Joomla! and have bought a few books that got reviewed here. I haven't decided on this one yet but my initial reaction is to pass.

Re:

[DiegoBravo]

> What is the hard-on Slashdot has for Joomla, seriously?

The simpler explanation is that a lot of ./ readers are using or administrating Joomla. Count me too.

Instead of complaining, please write some review on another (interesting) topic.

Re:

[Spy Handler]

because joomla is the most popular web cms?

Linux isn't the most popular computer OS, not even close, yet Slashdot has a huge hard-on for it, and I don't see many complaints. So how about a nice cup of STFU for you?

One false sense of security coming up

[tsalmark]

So now some, presumably competent, writer can paint by numbers, and have no idea when they make a fatal security mistake. Nice

Automated scans...

[msimm]

While I personally feel Meh towards kitchensink-style cms's it's probable worth mentioning directory and/or file renaming, because sooner or later those morons that run automated scanners will exploit a vunerability that will effect you.

Re:

[specific_pacific]

Also, turn on SEF to remove all the com_ shit from the URL is a good start. Then for sure they won't pick you up in a google search.

http://www.google.com/search?hl=en&client=safari&rls=en-us&q=com_contact%26&btnG=Search [google.com]

Name shenanigans

[Neuticle]

While I'm not a fan of punctuation-included-names, since Joomla discussions seem to inevitably bring up the name, I'll say this: "!" aside, Joomla is actually a pretty clever name for a CMS. Joomla being a re-spelling of the Swahili (and probably other Bantu languages) word Jumla, which can mean altogether, as a whole etc.

Ubuntu, while not Swahili per se, is another bantu word. I'm sure there are other OSS projects out there that have used the same tactic. It's a neat way to have meaning in a word that at

Easy way to secure your Joomla! installation

[gravyface]

rm -rf /var/www/myjoomlasite

The core's not the problem, but the 3rd-party add-ons can hurt you badly.

Check out http://milw0rm.com/ [milw0rm.com] and do a quick search for Joomla and see why.

Re:

[Rhaban]

The core is not the problem, but you can't make a decent site without add-ons.

I work a lot with Joomla, not by choice (I would always choose Drupal or EZpublish over Joomla).

Joomla lacks some essential features such as linking a file to a content, adding a new field to a content type, managing several content types, managing access levels, user groups, etc...

This is why i always write the add-ons i need myself. I made some kind of framework (outside joomla's, because joomla framework is a piece of shit), wi

Just produce content, security is no issue.

[hamanaka]

I have been working in Joomla websites since the mambo days. Joomla is an excellent web system and security is very critical. Having a hosting provider is not enough. You need to have a webmaster who can be your web administrator or your guy who has already solved the problem you come across. The books that have been reviewed lately regarding Joomla are excellent ways to break right through steep learning curves. Writing your own extension to start with might be a little complicated. Learning how to m