Chapter 1
[ 17 ]
As at the time of this writing, there is a denitive line drawn in the sand in the
Joomla! world about allowing or not allowing encrypted extensions. No matter
which side of debate your feelings are, if you decide to purchase and use an
encrypted extension, make sure in advance of your purchase that your host supports
Zend or IONcube (depending on the app), or whatever means that may be deployed.
If they don't, you will have to attempt to get your money back, change hosts or
discover a method to make them work. Translation, do your homework in advance.
Your border security begins with the host where your site is residing. If you choose a
poorly run host, then expect trouble, successful attacks, and more. That is not to say
that a well run host is free from attacks. It just lowers some of the obvious problems.
Take time to learn all you can about the prospective host, but don't base your
purchase on price and ashy sales pitches by the host.
Architecting for a Successful Site
Believe it or not, planning for your site rather than diving in will help you have
a much more secure site. How, you may ask. Through careful planning, you can
establish a path and a direction to get there. You can research the pitfalls and nd
ways to avoid them. Thus, you will be operating in the parameters of wisdom, which
will enable you to depend on others' experiences, and learn from the mistakes that
they made.
What Is the Purpose of Your Site?
If I had $1.00 every time a client said, "I need a website" and I asked, "What is it going
to do?" I would probably be sitting on a beach drinking something with an umbrella
in it rather than writing! Though seriously, it's more common than not. The answer is
often not well thought out, thus causing many uncomfortable questions to be asked.
Here's a real life scenario: Customer "X" says that he works in the nancial world
and needs a 'secure' website. He needs to "securely" make available his highly
condential nancial documents to his clients via the Web. "Security is very
important to us" they stated multiple times.
OK—what would you ask if this were you? What steps would you take? Let's walk

if you can x it. If they are on the list, contact the developer and see if he/she
has xed it. If not, then nd another way to accomplish what you need done.
Custom work. There abound thousands of developers for Joomla! and a good
places to check are http://www.jcd-a.org and http://www.joomlancers.
com. Both these sites offer lots of either well-written extensions or in the case
of Joomlancers, a rent-for-hire coder. You may say Great! I can hire someone
and put them on the task of building my UBER customer extension! Here's
where it gets weird. You need to ensure the testing methods they will use
(demonstrable) to prevent SQL injections, buffer overows, and so on. And
the second thing is, get them to agree to x any vulnerability with their
original code that is discovered in the future, as part of the deal.
•
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 1
[ 19 ]
What if you upgrade? Will your extension be compatible? Maybe, and maybe
not. If you upgrade from say 1.0.12 to 1.0.15 or even 1.5.x, which you may
consider is an easy jump, then will it work? A lot of extensions may fail or not
even be compatible after that. This can cause potential security holes? Yes.
Step eight: A very large percentage of security problems are caused by the
employees and customers; sometimes on purpose, and sometimes by accident.
Therefore you need to consider this as a part of how you will prevent bad security
issues with customers and employees. The ideas include mandatory password
lengths, changing passwords frequently (30 days to 60 days is a common time
frame), and educating customers and employees on "social engineering" tactics.
Step nine: Read this book thoroughly, as well as others. Learn (if you don't know
already) a bit about PHP programming. I recommend W. Jason Gilmore's book.
W. Jason Gilmore, Beginning PHP and MySql 5 – From Novice to

Now that you have chosen a host, and have your site prepared, its time to download
Joomla! But wait? Which one do I choose? Surely, you chose this already in Step
11 from Joomla! 1.0.15, or the new and completely redesigned Joomla! 1.5.X. It
is important to understand a few differences about each of these versions before
you make an initial decision. Just as your choice of a version is important, so is
it important to ensure that you download it from a reputable source, preferably
Joomla.org. There are other sources from where you can download it precongured,
and with add-ons. There's nothing wrong with that, but check it thoroughly. The
point to remember here is that you must be very sure that it's a trusted source and
that it hasn't been tampered with. Later, we'll learn about some tools developed by
the community that will help you keep track of the health of your site. When you
download your copy of Joomla!, it should be provided to you in a ZIP format. That
zip le itself has an MD5 hash, which is a 'digital signature' ensuring that nothing
has been changed. Note: At the time of writing this book, the MD5 Hash for Joomla!
1.0.15 was not available from Joomla.org.
If your hash is different, then the package contents have been tampered with. This
could indicate something as simple as a bad download, or it could be tampering. I
would suggest you not to use this package, rather delete it and re-download. In any
event, the MD5 Hash is a good protection mechanism to ensure the "Authenticity" of
the compressed le.
Where did you download it from?
Always take the extra caution of downloading your source directly from
Joomla! to ensure that you are always getting the correct package. This is
not to say that other reputable sites aren't offering it, but it's an easy step
to ensure security.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 1
[ 21 ]
One of the key security differences between 1.0.12 and 1.0.13 is the way a password

For each setting, we name its default value and a short blurb on why we must select
it. In a later chapter, we'll cover php.ini in greater detail.
Following this will be the settings for other les such as .htaccess and
global.php.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Let’s Get Started
[ 22 ]
In the PHP version 4.2.0, the support for one important variable was changed.
We won't go into the details as to the battle that must have ensued to change this,
but you can read about it at http://www.php.net; look up Register Globals. It is
noteworthy to point out that in PHP 6 this is completely gone.
Settings:
register_globals = off (you may also see it as = 0)
If this is left on, someone attempting to break your site could use it to inject
your scripts with all sorts of variables. This is a typical problem with some
extensions and has been the death of many a good site. The attacker could
use this to insert request variables from HTML forms as a means to break the
site open. In the past, it was assumed that PHP simply worked this way, and
so many extensions and applications were written that required it to be on.
There are only two things you should do in that case, x the extension by
coding in the proper support to sanitize and check, or dump it and get a
different extension. Note that in Joomla! 1.0.13, this is now included in the
control panel.
magic_quotes_gpc (by default it is on)
First and foremost, this is on by default and should remain on. This "escapes"
all variables that are sent to the database. The crackers will use scripts loaded
with all kinds of goodies, meant to pass through to the database or other
parts of the system. By escaping them, it actually neutralizes their power to
harm you. DO NOT TURN THIS OFF.

This one can be tricky, but it is recommended by Joomla! to leave it in its
default state of off. Turning it on will disable quite a few features,
including, but not limited to: parses_ini_file(), chmod(),
chown(),exec(),system() and more.
However, being in a shared world, you may run into situations where it
needs to be changed to on. If it is turned on, there are several options that
go along with it. And there are several things that may not work with
Joomla!—so use it with caution.
There are several other optional settings in php.ini that change how the system
functions, but these are the key ones.
Next you will need to make changes to your globals.php le if you haven't made
them already. Note that this applies to Joomla! 1.0.12 and older. For Joomla! 1.0.13,
change this in the conguration panel.
Make the following change to the highlighted line —Please change the 1 to a 0
/**
* Use 1 to emulate register_globals = on
*
* Use 0 to emulate regsiter_globals = off [sic]
*/
define( 'RG_EMULATION', 1 );
/**
* Adds an array to the GLOBALS array and checks that the GLOBALS
variable is
* not being attacked
* @param array
* @param boolean True if the array is to be added to the GLOBALS
*/
•
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008

valuable security measure.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 1
[ 25 ]
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the
operations listed below
## This attempts to block the most common type of exploit
`attempts` to Joomla!
#
#IF the URI contains a "http:" or "ftp:" or "https"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} ftp\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
# Block out any script trying to set a mosConfig value through the
URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via
URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via
URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.
html#rewriterule
Permissions
One simple way to protect yourself is to ensure that you have the permissions set on
your les and directories. The following settings are the recommended permissions:
.htaccess 644
configuration.php 644
Directories 755
Files 644
While these are recommendations, your particular needs may be different and you
should adjust accordingly.
For a detailed explanation of permissions visit this link on the
Joomla.org site:
http://forum.joomla.org/viewtopic.php?t=121470
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604