[SATLUG] My new site...would like some feedback
K. Spoon
kell at spoonix.com
Mon Oct 9 17:27:41 CDT 2006
On Mon, Oct 09, 2006 at 03:13:52PM -0500, Justizin wrote:
> On 10/9/06, Hector Bojorquez <hector.bojorquez at gmail.com> wrote:
> >ooo doggy... here comes the Plone/Zope jihadist!
> >
>
> Well, easy to call me names. ;)
It's fun, too, binky.
> Truth is, I have never heard anyone say that Joomla, Mambo, or any of
> their 1,793 friends might be a serious system-level security risk.
> I'm curious at knowing what sort of vulnerabilities have arisen.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mambo
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=joomla
A lot of those are "remote file inclusion", which basically means an
attacker can use something to get your machine to execute arbitrary code
with the same privs as the user under which the web server is running.
>From there, it's one unpatched local exploit to root and a day wasted
reinstalling stuff, dusting off the backups, and getting back online
again. And, even if you use apt, there's at least one you either missed
or don't have covered yet.
Looking at the vulnerabilities, you'll notice a couple of common themes:
1) it's generally the same bug repeated over and over and over again
2) the bug usually occurs in either fringe parts of the code or an
add-on for the application (calendars, addressbooks, joke-of-the-day
modules, etc)
So the question isn't really "are these applications insecure?" so much
as it is "would the 3rd party folks who are 'extending' the application
be less likely to make the same mistakes if the app provided a clear API
and some tutorialish documentation to show them how to do things
safely?"
--
K. Spoon <kell at spoonix.com>
More information about the SATLUG
mailing list