[Klug-general] January 2009 Meeting

MacGyveR macgyver at thedumbterminal.co.uk
Mon Jan 12 19:35:18 UTC 2009


On Monday 12 Jan 2009, Laurence Southon wrote:
> Mike Evans wrote:
> > We should, however, take
> > the appropriate steps to ensure that we are not vulnerable to an attack.
> >   Doing so would seem to be a matter of controlling certain global
> > settings for PHP, and checking the provenance of any plug-ins used, and
> > perhaps being conservative in the number used.
>
> It's also important to ensure that Joomla calls php scripts as its own
> user and not the Apache2 user (www-data on Debian).
>
> This can be achieved either using suphp or installing Apache2 using the
> mpm-itk module rather than the default mpm-worker.
>
> Both methods have pros and cons, so I'd be interested in anyone's
> experience/comment on this.
>
> Also vital to keep Joomla up to date. A security fix was announced just
> this weekend.
>
> LS

Agree,

i've been using suphp for years and i dont have any major problems with it, it is very easy to install and basically works the same as the apache suexec. I have had it working with joomla, mambo etc..

Keeping joomla up to day will keep risks to a minimum, i imagine there is a joomla list you can subscribe to be alerted of new releases. If not then a subscription to a security list (bugtraq etc..) could also be used. Don't forget that 3rd party plugins may have different problems and release cycles, so that is one thing to bear in mind when installing them.  

Suhosin is another alternative, but I don't have any experience of it, but it does come from a reputable source:

http://www.hardened-php.net/suhosin/index.html

Maybe even look in to the mod_security apache module to block common attacks.

I think that joomla will tell you its up to date from the control panel, you just have to login regulary :-)

-- 
--------------------------------
http://www.thedumbterminal.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/kent/attachments/20090112/4c89d5d8/attachment.htm 


More information about the Kent mailing list