Introducing JSST: The Joomla! Security Strike Team

Joomla! is serious about security.

Written by Alan Langford

Joomla! Security Strike Team

Security issues are an unfortunate fact of life for any online application.

The Joomla! team has always worked to aggressively defend against potential security breaches. Joomla 1.5 has deeply integrated defences against a variety of common attack vectors, such as SQL injection. Still, every complex application has the potential for vulnerabilities, and Joomla is no exception.

Last month, we experienced a worst-case scenario: an easily exploited critical vulnerability was made public before the Joomla team was made aware of it. Even though the team leaped into immediate action and issued a fix in record time, a lot of sites were affected.

In the wake of this crisis, we asked “what can we do better?” The answer is the Joomla Security Strike Team (JSST). The JSST is now the single focus point for Joomla security issues. The key responsibilities of the team are to:

  • Provide a single, highly visible place for reporting potential security issues, the Security Center.
  • Investigate and respond to core vulnerability reports.
  • Release information on verified issues in the most timely and responsible way possible.
  • Provide a reliable and highly available source of information for people writing about Joomla security.
  • Clearly define security threat levels and how the team will respond to them.
  • Help the community understand Joomla security and how to manage risk.

 

How to Help

The JSST is taking a more proactive role to core security. Drawing on both developers and outside security experts, JSST will be performing code reviews and developing automated tests with the intent of detecting and eliminating vulnerabilities well before release.

There is no way to guarantee that Joomla can defend against any attack, but the JSST is on the job and working hard to get as close to that goal as possible!


57 Votes

6 Comments

Feed

  1. avatar ali makes this comment

    2008-05-08 12:43:33

    when front page loading time some php notice shown in bottom..how can solve this problem..
    PHP Notice: Constant _JEXEC already defined in C:\Domains\moneykhan.com\wwwroot\modules\mod_joomlawatch.php on line 14 PHP Notice: Constant DS already defined in C:\Domains\moneykhan.com\wwwroot\modules\mod_joomlawatch.php on line 28

  2. avatar Elin Waring makes this comment

    2008-05-10 16:21:21

    Ali,
    That looks like a problem with a module you have installed. So, I'd suggest that you go to the home page of the developer and ask for help or else ask for help in the joomla.org forums.

  3. avatar Brian makes this comment

    2008-08-18 14:37:03

    I've had a problem logging in. One problem I discovered was that the captcha box was too small (on my browser) to see all of the letters or numbers. Another problem was the use of zero or the letter "O" in the captcha box. Who knows which is which? :P

    I did register on the Joomla site. After I clicked on the verification link in my email, it took me to a site much similar to a wikipedia page. I assumed I was logged in everywhere, but this was not the case. And, when I did try to log in, I got all kinds of error messages, including wrong password, wrong verification code and so forth.

    Thanks

  4. avatar Eyal makes this comment

    2008-09-08 16:13:20

    In Joomla 1.5.6:

    It seems that the CODE_MEDIA_BASE constant should not terminate with a "/", as in some places another "/" is added to the end of CODE_MEDIA_BASE, resulting in an an formatted path (terminating with "//").

    I altered my administrator\components\com_media\media.php in lines 33-35 which are:

    if(substr(strtolower($view),0,6) == "images" || $popup_upload == 1) $path = "image_path";
    define('COM_MEDIA_BASE', JPATH_ROOT.DS.$params->get($path, 'images/stories'));
    define('COM_MEDIA_BASEURL', JURI::root().$params->get($path, 'images/stories'));

    to the next few lines:

    if(substr(strtolower($view),0,6) == "images" || $popup_upload == 1) $path = "image_path";
    $tmpPath = $params->get($path, 'images/stories');
    if(substr($tmpPath, -1) == '/') $tmpPath = substr($tmpPath, 0, -1);
    define('COM_MEDIA_BASE', JPATH_ROOT.DS.$tmpPath);
    define('COM_MEDIA_BASEURL', JURI::root().$tmpPath);

    Hope this will help other who had the same problem as I did.

    Eyal

  5. avatar Eyal makes this comment

    2008-09-08 16:16:54

    In Joomla 1.5.6:

    I had a problem on libraries\joomla\filesystem\folder.php which I had to alter "strpos(" to "stripos(" on line 204:

    if (stripos($path, $test) === 0) {

    in some cases, an error message appeared saying that the path was not in the "open_basedir" because the path was written in a mixture of upper and lower case.

    Eyal

  6. avatar Kwatasian Hunt makes this comment

    2009-01-22 17:33:16

    Hi,
    My website was hacked and I can't log in. I had the support team with godday to find what the problem was. Well, the problem was found but I because the application was installed manually, I needed to speak with someone from Joomal. Can you help?

Add Comment


    • >:o
    • :-[
    • :'(
    • :-(
    • :-D
    • :-*
    • :-)
    • :P
    • :\
    • 8-)
    • ;-)

     
    ©2005-2009 Open Source Matters, Inc. All rights reserved.    Joomla Hosting by Rochen Ltd.    Empowered by JXtended    Accessibility Statement    Privacy Policy    Log in