Joomla Tips
Test of SymLinks
Written by Ken Task
Yep! The image above is coming from /home/images/
In Joomla, images/stories folder there is a symlink called 'symlinkimages' pointed to /home/images/
Images in /home/images can be uploaded via SFTP/SCP.
Joomla Vulnerabilities - XSS injection
Written by Ken Task
Ever wonder what the heck XSS injection vulnerability IS?
(not that one should really care to KNOW, but it doesn't hurt to begin thinking more securely - any OS, any app, and ANY DEVICE!)
Recently, Joomla announced an upgrade just for an XSS injection. They never fully disclose what (specifics) as that might be self-defeating.
They do rate the vulnerability … this last one was 'medium' which would give you some clue as to how important it is and help you determine IF this was something to change your priority list over or not.
(Uhhh, my best advice … medium or NOT, just do it!)
Here's a site that will help with understanding XSS Injections:
http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/XSS-Injection
They even provide information on a SAFE way for you to test! ;)
[IF a site offers a 'free' site check, should you? OR is that 'free' site allowing you to collect vulnerable targets for them?]
Ok, let's say you do run a Joomla. What's the quickest EASIEST way to update a Joomla?
Answer: install the update manager component.
You CAN do it from your Admin backend.
Extensions
Install/Uninstall
Install from URL:
http://www.k12os-foss.net/jinstalls/com_jupdateman_151.tgz
as the location if the component to install.
Click "install"
That will display under components menu as 'update manager'.
It's simple to use. Just one piece of advice … BACKUP your site first.
(always a good practice).
AND … rather than doing a full update, use the patch update option.
Faster, gets only the core code that needs fixing!
Truth in Advertising … the above is known to work on Linux flavored boxen.
Good chance that a MacOSX server can do. Windows - un-known.
Since the package is a .tgz your mileage might vary.
When in doubt, DON'T on your production site. Step through the process on a 'sandbox' Joomla installation to test FIRST!
Essential Joomla Resources and Help
Written by Ken Task
Joomla can be frustrating at times. At first, it is a learning curve. But, as concepts are grasped (working with a backend DB, positions, etc.) and exercising due diligence with research (before installation of add-ons), Joomla is a solid content management system.
Along with researching add-ons compatibility, keeping informed is also necessary. Makes no difference if remotely hosted or not.
Here are some links that will help towards that end:
http://docs.joomla.org/Category:Security_Checklist
http://docs.joomla.org/Vulnerable_Extensions_List
http://docs.joomla.org/Investigation_of_exploits
How to check version of Joomla when ...
Written by Ken Task
fgrep '$RELEASE' /var/www/html/libraries/joomla/version.php;
fgrep '$DEV_LEVEL' /var/www/html/libraries/joomla/version.php
Will show release version (like 1.5) and the patch (.##) level.
Joomla resources worth bookmarking/favoriting:
http://www.joomla.org/announcements/release-news/
http://docs.joomla.org/Upgrade_Instructions
http://docs.joomla.org/Category:Version_1.5.19_FAQ
http://docs.joomla.org/Vulnerable_Extensions_List
Time for some Joomla Spring Cleaning?
Written by Ken Task
Joomla core is normally secure and easy to update with the update component installed (JUpdateMan). That component, however, won't update all that you might have added. As such, please consider checking this resource:
http://secunia.com/advisories/search/?search=joomla
It will show what 3rd party add-on components have issues.
First, of course, might be a good idea to note what add-ons you've installed. Login to Admin side. Go to Extensions, Install/Uninstall, then the tab for Components. You'll see a listing which shows name, version numbers, and Author. Those that show "Joomla Project" are core. 3rd party components might show authors name or provide a non-clickable URL. Holding mouse over author name will render a pop-up tool showing the URL to the web site and author EMmail address.
The fixes might be simple if the 3rd party add-on is still being maintained - just install the latest/most secure version. IF it doesn't appear there is an updated version, best to remove it. Don't forget, if you were using it, removing it may not be possible until you un-link or if you can remove with no warning, you might have broken some link in your menus.
Set the display of components to "all", then print to a PDF file for future checking.
Another very good resource for checking all kinds of open source software vulnerabilities:
http://www.exploit-db.com/
It's a jungle out there, isn't it? :(
More Articles...
Page 1 of 4
«StartPrev1234NextEnd»Latest News
Ken's Korner
RSS
AllVideos HELP!
TCEA Community
