<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:10pt;font-family:Sans Serif">
<p>On Monday 12 Jan 2009, Laurence <span style="color:#ff0000">Southon</span> wrote:</p>
<p><span style="color:#008000">> Mike Evans wrote:</span></p>
<p><span style="color:#007000">> > We should, however, take</span></p>
<p><span style="color:#007000">> > the appropriate steps to ensure that we are not vulnerable to an attack.</span></p>
<p><span style="color:#007000">> > Doing so would seem to be a matter of controlling certain global</span></p>
<p><span style="color:#007000">> > settings for PHP, and checking the provenance of any plug-ins used, and</span></p>
<p><span style="color:#007000">> > perhaps being conservative in the number used.</span></p>
<p><span style="color:#008000">></span></p>
<p><span style="color:#008000">> It's also important to ensure that Joomla calls php scripts as its own</span></p>
<p><span style="color:#008000">> user and not the Apache2 user (www-data on Debian).</span></p>
<p><span style="color:#008000">></span></p>
<p><span style="color:#008000">> This can be achieved either using suphp or installing Apache2 using the</span></p>
<p><span style="color:#008000">> mpm-itk module rather than the default mpm-worker.</span></p>
<p><span style="color:#008000">></span></p>
<p><span style="color:#008000">> Both methods have pros and cons, so I'd be interested in anyone's</span></p>
<p><span style="color:#008000">> experience/comment on this.</span></p>
<p><span style="color:#008000">></span></p>
<p><span style="color:#008000">> Also vital to keep Joomla up to date. A security fix was announced just</span></p>
<p><span style="color:#008000">> this weekend.</span></p>
<p><span style="color:#008000">></span></p>
<p><span style="color:#008000">> LS</span></p>
<p></p>
<p>Agree,</p>
<p></p>
<p><span style="color:#ff0000">i've</span> been using <span style="color:#ff0000">suphp</span> for years and i <span style="color:#ff0000">dont</span> have any major problems with it, it is very easy to install and basically works the same as the apache <span style="color:#ff0000">suexec</span>. I have had it working with <span style="color:#ff0000">joomla</span>, mambo etc..</p>
<p></p>
<p>Keeping <span style="color:#ff0000">joomla</span> up to day will keep risks to a minimum, i imagine there is a <span style="color:#ff0000">joomla</span> list you can subscribe to be alerted of new releases. If not then a subscription to a security list (<span style="color:#ff0000">bugtraq</span> etc..) could also be used. Don't forget that 3rd party plugins may have different problems and release cycles, so that is one thing to bear in mind when installing them. </p>
<p></p>
<p><span style="color:#ff0000">Suhosin</span> is another alternative, but I don't have any experience of it, but it does come from a reputable source:</p>
<p></p>
<p><span style="color:#ff0000">http</span>://<span style="color:#ff0000">www</span>.hardened-<span style="color:#ff0000">php</span>.net/<span style="color:#ff0000">suhosin</span>/index.<span style="color:#ff0000">html</span></p>
<p></p>
<p>Maybe even look in to the mod_security apache module to block common attacks.</p>
<p></p>
<p>I think that joomla will tell you its up to date from the control panel, you just have to login regulary :-)</p>
<p></p>
<p>-- </p>
<p>--------------------------------</p>
<p><span style="color:#ff0000">http</span>://<span style="color:#ff0000">www</span>.thedumbterminal.<span style="color:#ff0000">co</span>.<span style="color:#ff0000">uk</span></p>
<p></p>
</body></html>