[SATLUG] My new site...would like some feedback

[Hector Bojorquez]

The bugs I encountered were with Facile Forms ...it is designed  for
building simple to relatively complex forms without much hassle-- It's not a
bad piece of software, specially if you don't want to be the only person
bulding forms in an organization (or you are not merely a contract-leech
that doesn't build capacity within an organization).

The problem is that it opened up some severe holes when used with Advance
SEF (a third party component which writes Search Engine Friendly URLs).
When the bug was made CLEAR to the Facile Form guys... a patch was delivered
in three days.

You can tell  a Mambo/Joomla site  by simply doing a   site:www.site.com
search on google and looking for telltale URLs (  com, option)  etc.

This is a good link with tips to harden the site.
http://forum.joomla.org/index.php/topic,81058.0.html

and no the account creation vector is not usually the problem... you can
prevent hacks by putting  image validation in the registration process

It normally comes down to people NOT configuring php.ini, httpd and Mysql
correctly...
Most folks take the config files straight out of the installation and leave
it at that.
ie. Fedora Core Mysql installs with a blank MySQL password.
php leaves all options open out of the box.


On 10/10/06, Sexton, Art, ISD <ASexton956 at worldsavings.com> wrote:
>
> The bug you mention is, again, in a 3rd party extention...community
> builder:
>
> "com_comprofiler Components
>
> Application : com_comprofiler
>
> version : 1.0 RC 2"
>
> Also, this is an older version of community builder, 1.0 RC2 and the
> current version is 1.0.1
>
> And, even if they get in via this means, they only get access to the
> admin console of Joomla and can only deface the site.
>
> One of the security benefits from a CMS like Joomla is that it can be
> installed and then a password given to the user for maintenance.  After
> this, there is no need to have a system user account, no shell access,
> no ftp access, etc.
>
> Just my 2 cents.
>
> However, although security though obscurity is not ideal, one of the
> things I usually do before putting a Joomla/Mambo site online is to
> remove the tag showing what kind of CMS it is.
>
> Art Sexton
>
>
> -----Original Message-----
> From: satlug-bounces at satlug.org [mailto:satlug-bounces at satlug.org] On
> Behalf Of K. Spoon
> Sent: Tuesday, October 10, 2006 2:15 AM
> To: The San Antonio Linux User's Group Mailing List
> Subject: Re: [SATLUG] My new site...would like some feedback
>
> On Mon, Oct 09, 2006 at 05:32:00PM -0500, Eli Cantu wrote:
> > Do these exploits all use the account creation vector?
>
> That depends on how the app handles authentication, which I don't have
> the first clue about.
>
> Just picking one of the CVEs at random, here's the bugtraq writeup for
> the vulnerability:
>
> http://www.securityfocus.com/archive/1/archive/444425/100/0/threaded
>
> The exploit works if:
>
> 1) the php install accepts GET for variable definition
> 2) $mosConfig_path doesn't get overwritten
> 3) there's no authentication call before rendering the page (which looks
> like the case here)
>
> Then they're in even without having to have access to the site through a
> valid username/password.
>
> --
> K. Spoon <kell at spoonix.com>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to unsubscribe Powered
> by Rackspace (www.rackspace.com)
>
>
>
> *****************************************************************************
> If you are not the intended recipient of this e-mail, please notify
> the sender immediately. The contents of this e-mail do not amend
> any existing disclosures or agreements unless expressly stated.
>
> *****************************************************************************
>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to unsubscribe
> Powered by Rackspace (www.rackspace.com)
>