[SATLUG] My new site...would like some feedback
Eli Cantu
eli at then7.com
Mon Oct 9 17:32:00 CDT 2006
Do these exploits all use the account creation vector?
I use joomla for small sites with low traffic. Users are created by admin
only by invitation.
e
On Mon, October 9, 2006 5:27 pm, K. Spoon said:
> On Mon, Oct 09, 2006 at 03:13:52PM -0500, Justizin wrote:
>> On 10/9/06, Hector Bojorquez <hector.bojorquez at gmail.com> wrote:
>> >ooo doggy... here comes the Plone/Zope jihadist!
>> >
>>
>> Well, easy to call me names. ;)
>
> It's fun, too, binky.
>
>> Truth is, I have never heard anyone say that Joomla, Mambo, or any of
>> their 1,793 friends might be a serious system-level security risk.
>> I'm curious at knowing what sort of vulnerabilities have arisen.
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mambo
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=joomla
>
> A lot of those are "remote file inclusion", which basically means an
> attacker can use something to get your machine to execute arbitrary code
> with the same privs as the user under which the web server is running.
>
>>From there, it's one unpatched local exploit to root and a day wasted
> reinstalling stuff, dusting off the backups, and getting back online
> again. And, even if you use apt, there's at least one you either missed
> or don't have covered yet.
>
>
> Looking at the vulnerabilities, you'll notice a couple of common themes:
>
> 1) it's generally the same bug repeated over and over and over again
> 2) the bug usually occurs in either fringe parts of the code or an
> add-on for the application (calendars, addressbooks, joke-of-the-day
> modules, etc)
>
> So the question isn't really "are these applications insecure?" so much
> as it is "would the 3rd party folks who are 'extending' the application
> be less likely to make the same mistakes if the app provided a clear API
> and some tutorialish documentation to show them how to do things
> safely?"
>
> --
> K. Spoon <kell at spoonix.com>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to unsubscribe
> Powered by Rackspace (www.rackspace.com)
>
More information about the SATLUG
mailing list