Monday, August 18, 2008

A CMS called Joomla

Joomla! is a widely used content management system using PHP and its frameworks. However due to its large user base, hackers have been attracted like bees to honey.

Example of pre Joomla! 1.5.6 security issue is the
Joomla "token" Password Change Vulnerability where the admin password could be reset easily. Users can then install the Joomla explorer component, and upload malicious scripts.

Following are some precautions on installation of Joomla!

  1. Patch the OS and its other software
    1. Open only needed ports (HTTP, HTTPS)
    2. Patch the software
    3. Configure the software in a secure manner
  2. Verify that Joomla! is from the official site http://www.joomla.org
  3. During installation - Do not use the default MySQL tables prefix as jos_
  4. Change the default administrator name (default is admin)
  5. Remove all files as instructed by Joomla! And other unneeded files or directories
  6. Ensure files and directories have the proper permissions. Below are for Linux based systems.
    1. PHP files: 644
    2. Config files: 666
    3. Other folders: 755
  7. Password protect sensitive directories with .htaccess
  8. Move the configuration.php file to outside of the web directory if possible. Make it non-writable.
  9. Use a search engine friendly (SEF) URLs
    1. The Google inurl: command can be used to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URLs. This will prevent hackers from finding the exploits.

  10. Establish a security plan and ensure the relevant parties know about it.
  11. Remove unused extensions and themes. Existing extensions and themes should have their version removed from the end user view.
  12. Subscribe to Joomla! and the extensions/themes sites for continuous updates. Additional sites that can help with updates:
    1. http://joomla-wiki.de/doku.php?id=howto_s:security:checklist
    2. http://docs.joomla.org/Joomla_Administrators_Security_Checklist
  13. Subscribe to security sites such as http://www.ictsecurity.gov.my/
  14. Carryout routine backup of Joomla! Site and its database.
Using Apache Benchmarking tools
One good reason to use Apache web server is the availability of a benchmarking tool. There are some constrains that you should know in using this data. Read the documentations. Install Apache and execute as below:
ab -n7500 -c100 http://server.com

Where
-n option is the number of request for benchmark
-c is the number of concurrent page request

===========
Document Path: /
Document Length: 36649 bytes

Concurrency Level: 100
Time taken for tests: 183.819035 seconds
Complete requests: 500
Failed requests: 383
(Connect: 0, Length: 383, Exceptions: 0)
Write errors: 0
Total transferred: 6472586 bytes
HTML transferred: 6260026 bytes
Requests per second: 2.72 [#/sec] (mean)
Time per request: 36763.806 [ms] (mean)
Time per request: 367.638 [ms] (mean, across all concurrent requests)
Transfer rate: 34.38 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1446 4324.4 0 21000
Processing: 47 23707 49002.2 1897 175812
Waiting: 47 21936 45081.7 1897 173650
Total: 47 25153 49793.2 2214 183816

Percentage of the requests served within a certain time (ms)
50% 2214
66% 6756
75% 10461
80% 27527
90% 132227
95% 151803
98% 175812
99% 181539
100% 183816 (longest request)
=== END ====

Other references:
For discussion on application security see https://nvd.nist.gov/cwe.cfm#NVD-CWE-DesignError.

My advice to those considering other CMS is this;
All CMS will have their weak points. However Joomla! have thus far been prompt with security notices and updates. Hackers tend to crawl the webs on Friday to Sundays, when systems are unattended. As the care taker of the Joomla! you need to be proactive, it goes the same for any other CMS. Finally, Joomla! is easy to use for end-users and provides lots of features for beautifications.

No comments: