Design vs. Develop » security

Keep up with official Joomla! security updates

Joe LeBlanc — Thu, 23 Oct 2008 15:13:46 +0000

While helping people get the Podcast Suite up and running, I’m noticing that a lot of people are running vulnerable, outdated copies of Joomla! 1.5.x. Keeping your Joomla! site running with the latest patches is a MUST. The Joomla! core team, working groups, security team, and bug squad all jump in and help write a patch whenver a vulnerability is discovered. However, these patches do no good if they are not applied to your site.

So how do you stay on top of Joomla! security issues and releases? The download page for Joomla! now has a handy form where you can sign up for email alerts. If you prefer RSS, use this feed link. (BTW: the current version as of this writing is 1.5.7, with a 1.5.8 maintenance release around the corner.)

Phishing Alert – it’s not just email

Joe LeBlanc — Thu, 29 May 2008 15:12:50 +0000

You’ve probably received fraudulent emails from people posing to be a bank wanting you to log in to your account. A few weeks ago, I received a phone call from an automated machine claiming to be my bank with a message for me. It then asked for the last four digits of my social security number; hung up immediately and decided that I would call my bank later.

Today, I received a similar phone call and hung up again. I called my bank right away and they confirmed with the security department that they did not place this phone call. Had I given this information, who knows what would have happened?

REMEMBER: only give personal information when you initiate a phone call with a trusted number. NEVER give your personal information when someone calls you.

Joomla training in Chicago

Joe LeBlanc — Tue, 18 Mar 2008 00:12:39 +0000

In addition to Joomla! Expo, I’ll also be one of the trainers for Joomla University the next day. My specialty will be in writing Joomla! 1.5 extensions from scratch. However, if you’re more interested in security, SEO, templating, tinkering, or just getting your first site up, there are sessions there for you too!

A website resolution you can keep

Joe LeBlanc — Thu, 03 Jan 2008 01:42:55 +0000

If you run a website, here’s a resolution you can keep: make sure your host is up to date. This is something that only takes a few minutes to check and can help you avoid hacker-induced headaches. With PHP being the most popular programming language used on the web, chances are your site uses it. You’re definitely using PHP if you use popular programs such as Joomla!, Drupal, or WordPress. Even if you keep these programs up to date with the latest patches, your site can still be at risk if your host doesn’t keep PHP itself updated.

If you’re running Joomla! or Drupal, checking your current PHP version is easy. In Joomla! 1.0.x, log into the administrator backend and go to System > System Info. The PHP version will be listed on this screen as well as under the PHP Info tab. In Drupal, use your admin login, then go to Administer > Logs > Status Report.

Aside from this software, there are other ways you can get the PHP version number. Most shared hosts often give you a control panel where you can log in and manage your account. If your host offers CPanel, the PHP version number will usually be displayed on the front page in the left column.

As a last resort, it’s easy to create a phpinfo() page you can use to get the version information. Open up a plain-text editor such as Notepad or TextEdit and add the following code:

phpinfo();

?>

Save this file as version.php (or anythingyouwant.php) and upload it to your web server using FTP to you web root directory. Then go to http://www.yoursite.com/version.php. Delete version.php from your server right away: you just want it to be available for a moment so you can get the information.

You now have your PHP version number. So now what?

As of this writing, the current version of PHP is 5.2.5. If this is the version you have, congratulations! Your host is up to date with the latest stable copy of PHP there is. If you have a version of PHP that starts with 5 but isn’t the latest, check with your host to see if they’re in transition. A lot of hosts set aside some servers with PHP 5 when it first came out in July of 2004 for testing purposes. You might be on one of these servers.

If your PHP version is ~~4.4.7~~4.4.8, your host has the latest stable version of PHP 4. Ask and see if they have a plan in place for upgrading your account to PHP 5. If your host is running a version of PHP earlier than 4.4.7, look for a new hosting provider immediately: your host is at least 7 months behind in applying security patches. Don’t count on them keeping you up to date in the future, they’ve already failed you.

As of this past Monday, no new versions of PHP 4 will be released and it is officially obsolete. On August 8th, the PHP team will not even release security updates for version 4.

UPDATE: the PHP team released 4.4.8 the day after I posted this. The switch from .7 to .8 represents some security patches. It is not considered an entirely new version of PHP; everything should still be backwards compatible. If you are running 4.x.x, make sure your host upgrades you 4.4.8 promptly.

Aside from keeping up to date with software that’s being actively developed, there are other reasons to move to PHP 5. It performs faster and has new features your friendly open source programmers desperately want to use. The Joomla!, Drupal, and WordPress teams have all avoided writing code that only works on PHP 5 to make sure that you can run their software. Now is the time to return the favor and go with PHP 5!