[Klug-general] January 2009 Meeting

Mon Jan 12 19:54:54 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

2009/1/12 MacGyveR <macgyver at thedumbterminal.co.uk>
On Monday 12 Jan 2009, MacGyveR wrote:
> On Monday 12 Jan 2009, Laurence Southon wrote:
> > Mike Evans wrote:
> > > We should, however, take
> > > the appropriate steps to ensure that we are not vulnerable to an
> > > attack. Doing so would seem to be a matter of controlling certain
> > > global settings for PHP, and checking the provenance of any plug-ins
> > > used, and perhaps being conservative in the number used.
> >
> > It's also important to ensure that Joomla calls php scripts as its own
> > user and not the Apache2 user (www-data on Debian).
> >
> > This can be achieved either using suphp or installing Apache2 using the
> > mpm-itk module rather than the default mpm-worker.
> >
> > Both methods have pros and cons, so I'd be interested in anyone's
> > experience/comment on this.
> >
> > Also vital to keep Joomla up to date. A security fix was announced just
> > this weekend.
> >
> > LS
>
> Agree,
>
> i've been using suphp for years and i dont have any major problems with
it,
> it is very easy to install and basically works the same as the apache
> suexec. I have had it working with joomla, mambo etc..
>
> Keeping joomla up to day will keep risks to a minimum, i imagine there is
a
> joomla list you can subscribe to be alerted of new releases. If not then a
> subscription to a security list (bugtraq etc..) could also be used. Don't
> forget that 3rd party plugins may have different problems and release
> cycles, so that is one thing to bear in mind when installing them.
>
> Suhosin is another alternative, but I don't have any experience of it, but
> it does come from a reputable source:
>
> http://www.hardened-php.net/suhosin/index.html
>
> Maybe even look in to the mod_security apache module to block common
> attacks.
>
> I think that joomla will tell you its up to date from the control panel,
> you just have to login regulary :-)

sorry to all that i posted a html message, i'll get my coat

- --
- --------------------------------
http://www.thedumbterminal.co.uk

_______________________________________________
Kent mailing list
Kent at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/kent

Sorry to through a spanner in the works but if my memory serves me
correctly the old site ran Drupal and we had an excellent talk on what
could and could not be done with Drupal (and how to do it) only a few
months (maybe 6) in Canterbury.... (Or was I dreaming)

Peter.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: http://getfiregpg.org

iEYEARECAAYFAklroAQACgkQdCiDiWPK5RyzJACdEYkZRCfpaDNdCMmrWGBjj0HB
Nn0AnAzjNsCIdgaUACy20oy7u4RQ+0dn
=jeeF
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/kent/attachments/20090112/6018471d/attachment-0001.htm 