[Klug-general] January 2009 Meeting
MacGyveR
macgyver at thedumbterminal.co.uk
Mon Jan 12 19:44:59 UTC 2009
On Monday 12 Jan 2009, MacGyveR wrote:
> On Monday 12 Jan 2009, Laurence Southon wrote:
> > Mike Evans wrote:
> > > We should, however, take
> > > the appropriate steps to ensure that we are not vulnerable to an
> > > attack. Doing so would seem to be a matter of controlling certain
> > > global settings for PHP, and checking the provenance of any plug-ins
> > > used, and perhaps being conservative in the number used.
> >
> > It's also important to ensure that Joomla calls php scripts as its own
> > user and not the Apache2 user (www-data on Debian).
> >
> > This can be achieved either using suphp or installing Apache2 using the
> > mpm-itk module rather than the default mpm-worker.
> >
> > Both methods have pros and cons, so I'd be interested in anyone's
> > experience/comment on this.
> >
> > Also vital to keep Joomla up to date. A security fix was announced just
> > this weekend.
> >
> > LS
>
> Agree,
>
> i've been using suphp for years and i dont have any major problems with it,
> it is very easy to install and basically works the same as the apache
> suexec. I have had it working with joomla, mambo etc..
>
> Keeping joomla up to day will keep risks to a minimum, i imagine there is a
> joomla list you can subscribe to be alerted of new releases. If not then a
> subscription to a security list (bugtraq etc..) could also be used. Don't
> forget that 3rd party plugins may have different problems and release
> cycles, so that is one thing to bear in mind when installing them.
>
> Suhosin is another alternative, but I don't have any experience of it, but
> it does come from a reputable source:
>
> http://www.hardened-php.net/suhosin/index.html
>
> Maybe even look in to the mod_security apache module to block common
> attacks.
>
> I think that joomla will tell you its up to date from the control panel,
> you just have to login regulary :-)
sorry to all that i posted a html message, i'll get my coat
--
--------------------------------
http://www.thedumbterminal.co.uk
More information about the Kent
mailing list