JoomlArt Forums 32,862 posts

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#275895

Can we get an official view on this….Is this forum safe?

and Wooohanetworks please dont tell me what I should and should not read…I am a big boy and if I want to read your posts I will and if I choose not to I wont…

and while you telling us never to put our url’s on the site, you are placing loads of links to others sites in your others posts, do you think you are being a little unfair on all these sites you have exposed to potential hack threats?

maybe you should backtrack and remove them!!

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#275896

<em>@swemmel 86616 wrote:</em><blockquote>For me it is clear. Make sure your website is as safe as possible and you can post your URL wherever you want. And I can say my URL’s are all around the web. One of my sites was hacked one time and that was because I had a component that was vulnerable and I did not check the list on Joomla.org regularly. It is here:

http://docs.joomla.org/Vulnerable_Extensions_List

When you check this list and Joomla.org on a regular base, you can close the doors in time. What wooohanetworks do is playing panic-football, like they do on wallstreet nowadays. :p

The safest way to keep your site from hackers is to keep it on a local host on you PC at home.

Peter</blockquote>

Great list Peter….how many of these do you think Joomlart use in a standard template?

[swemmel Friend swemmelJoin date: February 2006Posts: 794Downloads:34Uploads:53 Thanks: 36 Thanked: 64 times in 1 posts]

#275897

mfcphil;86618Great list Peter….how many of these do you think Joomlart use in a standard template?

None, but people do install 3d party components and module, don’t you think? :confused: And how many people who install 3d party components will check this list or even do not know it exists?

Here is a complete checklist on how to make your site as secure as possible. http://docs.joomla.org/Category:Security.

Peter

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#275899

what about the things like sitemap and sef404?

[Menalto Friend MenaltoJoin date: May 2007Posts: 4736Downloads:0Uploads:43 Thanks: 2 Thanked: 531 times in 361 posts]

#275900

<em>@mfcphil 86618 wrote:</em><blockquote>Great list Peter….how many of these do you think Joomlart use in a standard template?</blockquote>

None!
Since the template have nothing to do with the extensions. And thats up to the site user/owner what kind of extensions they are going to use.

Wonder how the showcase section would look like here if people dont/cant post their site url?

But as i said before, its up to the support staff if a live url is needed or not to solve the problem.

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#275903

So whats your take on this Menalto…are we all under threat :confused:

and if joomla uses nothing on the list what do you think got your site hacked?

[sbaldwin Friend sbaldwinJoin date: May 2008Posts: 342Downloads:0Uploads:65 Thanks: 119 Thanked: 15 times in 1 posts]

#275906

For all of you that install extensions from places like Joomla.org be sure that the extenion plug-in does not require ‘allow_url_fopen’ to be ON. In fact I just downloaded EZ Weather to install on my site only to find out it wanted me to change this from OFF to ON! Be carefull to check it. Joomla.org Help files under security even mentions this is a major securtiy problem and to report any extensions that require this to be change to ON.

See below that was sent to me by my hosting service. Also be sure you are at J1.5.7 as usual 😀

We would like to inform you and the contacts on your account of a change we will be making soon to our xxxService platform. To further strengthen security for our clients, we will be making a global change to the PHP environment. This change will help considerably in stopping your site(s) from being compromised, as well as help thwart the unauthorized use of our servers for abusive or malicious purposes.

BACKGROUND:

There is a parameter for php called ‘allow_url_fopen’ that is currently enabled in both our PHP4 and PHP5 environments. If the proper precautions are not taken in PHP a large number of code injection vulnerabilities frequently reported in PHP-based web applications are possible. We understand that our customers install a great number of PHP-driven applications, many of them from the open-source community. Unfortunately a great number of them can potentially fall prey to these vulnerabilities. As a company the best that we can do in a shared environment is to provide sane global defaults that protect the majority of our customer base.

The process is very straightforward; include the following line in your php.ini file at /home/####/etc/php.ini (replace #### with your site number)

allow_url_fopen = Off

Should you come across errors directly related to this change you can simply modify the flag to ‘On’ which will be honored post-change as well:

allow_url_fopen = On

With this particular change your setting in php.ini will always be honored regardless of the global values. With that in mind we would highly suggest further researching and examining aspects of your site that depend on this functionality to see if a safer method can be used instead. If this software was obtained from a 3rd party we would suggest contacting their developer.

4 users say Thank You to sbaldwin for this useful post

1. mfcphil
2. tonyg
3. jwellman
4. shertmann

[swemmel Friend swemmelJoin date: February 2006Posts: 794Downloads:34Uploads:53 Thanks: 36 Thanked: 64 times in 1 posts]

#275907

mfcphil;86622what about the things like sitemap and sef404?

As you can see in the list it is noted which versions are vunerable and if there is a solution. And if yes, what the solution is.

The only 3d party components JoomlArt have used in their templates, as far as I know, are Community Buillder, Virtuemart, RS Gallery and Fireboard. Fireboard is not on thelist. Community Builder is on the list, but it is safe from version > 1.0.0, so this one is ok too. RS Gallery (used in JA Avian) is version 1.14, so also ok. Only from Virtuemart , they used version 1.0.12 in the JA Larix Quickstart. This version is vulnerable. So when somebody from JoomlArt read this maybe they can update the quickstart with a newer version of Virtuemart.

Sitemap and sef404 are not used by Joomlart in their templates as far as I know.

Peter

[mfcphil Friend mfcphilJoin date: September 2007Posts: 2866Downloads:3Uploads:218 Thanks: 211 Thanked: 388 times in 133 posts]

#275909

Peter are the older version of joomla like 1.0 at more risk than the 1.57 or whatever the latest version is?
Some people, me included, get their 1.0 cms provided with the server

[swemmel Friend swemmelJoin date: February 2006Posts: 794Downloads:34Uploads:53 Thanks: 36 Thanked: 64 times in 1 posts]

#275917

mfcphil;86635Peter are the older version of joomla like 1.0 at more risk than the 1.57 or whatever the latest version is?
Some people, me included, get their 1.0 cms provided with the server

Hi McPhil,

The answer is no. Just keep your Joomla sites up-to-date with the latest joomla versions for your installed serie.
The latest versions are:

• Joomla 1.0.15 (for the 1.0.x-series)
• Joomla 1.5.7 (for the 1.5.x-series)

Regards,
Peter

[jwellman Friend jwellmanJoin date: April 2008Posts: 543Downloads:0Uploads:6 Thanks: 115 Thanked: 59 times in 21 posts]

#275919

First of all, thank you everyone for your many suggestions and advice. As a team I think this has been one of the most useful thread topics I’ve read on JA. It is nice to learn from the experience (and sadly sometimes mistakes) of others. In the past we’ve dealt mostly with phpBB forums and regular HTML web-sites. We just started using Joomla in June of this year so the advice given thus far has been extremely helpful.

The reason one of my sites was hacked was out of my own stupidity. The site receives a lot of traffic and the needed updates had not been done (Using JA Wistery). It was an open book for the hacker and he took over the home page. Until a few weeks ago I had not been watching Joomla.org for updates. Live and Learn I suppose…

One of the things I changed was allowing robots to index the pages on the forum. From what I’ve read, indexing is good, at least while trying to get your site in the search engines, but once your site has been found you should disable the ability of the robots. After the hack, I turned off the robot capabilities in the PHPbb forum and so far so good. Do you agree or disagree with disabling the robots?

Once Menalto was able to retrieve the home page I disabled everything. (Contact page – User Registration, etc…) Now basically the home page’s only purpose is to introduce the forum. Once I have my security in place I would like to integrate the CB component.

We are taking advice from each of you and also doing on our own research on security measures. While doing so we stumbled upon an article that suggested not using our Joomla sites in Legacy mode. The author claimed that Legacy mode has the potential of putting your site at a deeper risk of intrusion.

We are currently working with the newest template (JA Sanidine) but it requires Legacy to use the Fireboard forum. We have disabled the forum part of the template until we research further. We are also using Legacy mode on a few other sites due to other components that are in use. So far no one on JA has mentioned anything about Legacy. What are your opinions on having it enabled?

[swemmel Friend swemmelJoin date: February 2006Posts: 794Downloads:34Uploads:53 Thanks: 36 Thanked: 64 times in 1 posts]

#275920

jwellman;86649First of all, thank you everyone for your many suggestions and advice. As a team I think this has been one of the most useful thread topics I’ve read on JA. It is nice to learn from the experience (and sadly sometimes mistakes) of others. In the past we’ve dealt mostly with phpBB forums and regular HTML web-sites. We just started using Joomla in June of this year so the advice given thus far has been extremely helpful.

The reason one of my sites was hacked was out of my own stupidity. The site receives a lot of traffic and the needed updates had not been done (Using JA Wistery). It was an open book for the hacker and he took over the home page. Until a few weeks ago I had not been watching Joomla.org for updates. Live and Learn I suppose…

One of the things I changed was allowing robots to index the pages on the forum. From what I’ve read, indexing is good, at least while trying to get your site in the search engines, but once your site has been found you should disable the ability of the robots. After the hack, I turned off the robot capabilities in the PHPbb forum and so far so good. Do you agree or disagree with disabling the robots?

Once Menalto was able to retrieve the home page I disabled everything. (Contact page – User Registration, etc…) Now basically the home page’s only purpose is to introduce the forum. Once I have my security in place I would like to integrate the CB component.

We are taking advice from each of you and also doing on our own research on security measures. While doing so we stumbled upon an article that suggested not using our Joomla sites in Legacy mode. The author claimed that Legacy mode has the potential of putting your site at a deeper risk of intrusion.

We are currently working with the newest template (JA Sanidine) but it requires Legacy to use the Fireboard forum. We have disabled the forum part of the template until we research further. We are also using Legacy mode on a few other sites due to other components that are in use. So far no one on JA has mentioned anything about Legacy. What are your opinions on having it enabled?

Hi jwellman,

A good place to search are the forums on Joomla.org. 😉 I did a little search on “security legacy” and found this article http://forum.joomla.org/viewtopic.php?f=432&t=330714&start=0&st=0&sk=t&sd=a

So the answer is no, legacy-mode does not influence security. Legacy-mode give you opportunity to use J1.0 components. But the risk with that is that they will be less and less developed and maintained. So possibly new security holes in J1.0.x 3d party product will not be repaired anymore. So it is also usefull to keep track on the websites of the producers of 3d party products you use. And of course the vulnerable-extension-list.

Kind regards,
peter

1 user says Thank You to swemmel for this useful post

1. jwellman

[Menalto Friend MenaltoJoin date: May 2007Posts: 4736Downloads:0Uploads:43 Thanks: 2 Thanked: 531 times in 361 posts]

#275921

You can skip fireboard and try out agora, a full native forum solution for joomla 1.5

1 user says Thank You to Menalto for this useful post

1. jwellman

[John Wesley Brett Moderator John Wesley BrettJoin date: July 2013Posts: 2142Downloads:17Uploads:26 Thanks: 175 Thanked: 645 times in 426 posts]

#275924

So now back to the original post…regarding not posting live URLs.

Yes…we should all heed security warnings…as live URLs are NOT the issue.

I don’t know of anyone running a site, personal or business, that is willing to say…”I have a website, but let me send you a private post to tell you what the URL is because it might get hacked. Oh, and PLEASE don’t tell Google that this URL exists.”

If a site gets hacked…shame on the owner for not heeding security issues.

Thanks to all of you who have contributed to this thread for bringing the importance of security back to the forefront of our minds.

[Menalto Friend MenaltoJoin date: May 2007Posts: 4736Downloads:0Uploads:43 Thanks: 2 Thanked: 531 times in 361 posts]

#275925

I suggest a moderator close this post and if needed a new post can be made discussing secuirty, not live urls, since this here just makes people confusing.

[Author]

Posts