Chapter 1
[ 27 ]
User Management
When you set up your site, there are several different methods to manage users and
their permissions. The permutations are numerous and I would suggest you to pick
up a copy of Barrie North's book:
The Joomla Admin Manual: A Step by Step Guide to a Successful Website
Or
Joomla! A User's Guide
You can nd both of these at joomlabook.com or Amazon.com
Later, we are going to learn about tools to help you post-install. However, if you
have taken these steps, you are doing very well indeed.
Common Trip Ups
While an entire volume could be lled with common mistakes, we'll focus on a few
of them here. They are presented here in no particular order.
Failure to Check Vulnerability List First
One big problem comes in if you are using a component that is vulnerable. To start
with, why would we deliberately set up our site to be broken into? A quick review
of the current vulnerability list shows at the time of writing of over sixty known
vulnerable extensions.
Here is one chosen at random known as AutoStand. I followed the link listed in
Joomla! and found the security site FrSIRT. They list this as a critical exploit.
Advisory ID : FrSIRT/ADV-2007-1392
CVE ID : CVE-2007-2319
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-04-16
A vulnerability has been identied in AutoStand (module for Joomla), which
could be exploited by remote attackers to execute arbitrary commands. This
issue is caused by an input validation error in the "mod_as_category.php" script

is not only easy and quick, it's simply a very good idea. To fail to check the list is
tantamount to laziness. Take off a few minutes right now and bookmark this location:
Tip to check the third-party Vulnerability list from Joomla.org.
http://help.joomla.org/component/option,com_easyfaq/
task,view/id,186/Itemid,268/
Register Globals, Again
As discussed earlier, having Register Globals enabled is a huge problem. This is so
prevalent that a search on the Joomla! forums will turn up multiple instances of this
repeated offense.
Permissions
Seeing 777 may be lucky if you're in Las Vegas, but it's hell to pay on your site. We
discussed the correct permissions settings earlier, but it bears mentioning them here
again. If you have made all your directories and les 777, then get a backup, sit back,
and wait to start your restore.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 1
[ 29 ]
Poor Documentation
While this may be a bit out of the scope with this book, writing down your database
settings can be invaluable in an emergency situation. If you are cracked, you may
need to reference the authentication information quickly. Write it down! Store it in a
safe place.
Got Backups?
Surprisingly few people have backups much less practice backing up, preparing a
plan, or testing the plan. DO NOT let this simple action keep you from doing it.
Back up.
There are several ways to go about backing up. You have to choose the method that
works best for you, but whatever method you choose, it must have the following
elements in it:

1010 SW High Ave., , Topeka, , 66604
Let’s Get Started
[ 30 ]
Setting Up Security Metrics
What is a security metric, and why would we want to have one? For the purpose
of this book, a security metric is a set of measures put in place to track key incident
events. For instance, number of attempted incursions into your site, and so forth.
This section will be discussed from a high level and will not delve into heavy
specics. The intent is to make you aware of the need to measure your security
and some high-level views on measurement. In this section, we will discuss
establishment of baselines, setting up good measures, and metrics. These metrics will
apply to your site and to the machines you use to work on your site. We will wrap
up with a few words and precautions on reporting to forums, and reporting to hosts
about incidents.
Establishing a Baseline
You can think of a baseline as a "known good" standard. This is like the "foot"
standard in the United States, or in the metric standard, the "meter". These are
known lengths that are used to ensure our "copy" of the foot or meter is accurate. In
your site, you need a known good "baseline" to measure the future changes against.
What is a good baseline?
A baseline is a snapshot in time when things are good or are performing
their best. The reason for this is two-fold: one, it will give you an opportunity
to put your measures and metrics in place to measure security. If this goes
awry, it will affect your uptime and the availability of your site to the clients
and customers who may want your goods and services. The second reason
for establishing this base line is to help you design procedures that assure
you are doing everything you can to protect yourself. If you are working with
more than one person, you will want to work with your staff to come up with
a set of metrics that are meaningful, will yield actionable data, and can be
proven under most circumstances. A good metric that's often used is the

situation. There are a few common things that should be a part of your
baseline measurement, for instance, log les. Your baseline should have a
way to collect and review them. There are several logging tools from the
community and you will have to pick one. In any case, the logs should be
collected every "x" minutes. This metric would yield all kinds of actionable
data relating to security.
Here is an example:
Our required data points are as follows:
The number of visitors over a twenty-four hour period.
Where they originated from.
What they did while they were there (this could be anything).).
Metrics:
"X" visitors came to our site in the last twenty-four hours.
Of those "X" visitors, "Y" attempts were made to do an
SQL injection on our site.
The IP addresses attempting the attack (barring IP
spoong) are originating from a specic region in
the world.
The SQL attack is on an extension that we do not have on
our site.
No other attempts were made on the site itself from
the logs.
•
°
°
°
°
°
°
°

Number of attempted attacks
Type of attempted attacks
Locations where the attacks are coming from (geography)
Attempts to authorize credit cards multiple times
Attempts to "obtain" a lost password more than once from
an IP
These are just a few examples of what kind of things you can measure. Some
may apply to you; some may not apply to you.
How are you going to measure?
You cannot measure anything without a tool or a set of standards. How you measure
is as important as what you measure. In the previous example, we may be running
the logging tool BSQ-SITE SITES (visit: bs-squared.com to review this logging
tool) to collect our stats. If so, we will have crafted a simple process to use this tool
and to respond to the events. For example, as this chapter was being written, the
author stopped to review his own logs. Sure enough, three attempts were made to
use "kiddie-scripts" to break into the site. They were not successful because the site
was not running the vulnerable scripts they were attacking. The actionable data, that
is the standard policy, is to block the IP address. This is not because of the concern
that they may eventually get in, rather it helps to lter the attempted criminal
activity from real paying customer activity. We are concerned with both, and taking
time for reviewing log entries only to discover multiple attempts to break in is a
waste of time if you do not take action. Additionally, it is doubtful that anyone who
attempts this will come back with intent to spend money. Hence, locking them out
saves time, bandwidth, money, frustration, and potential future attacks. Once you
have determined your metrics, take time to decide how you will measure them.
The tools that can be used to gather these statistics are abundant:
BSQ-Site Stats (GPL-GNU)
Joomla-Visits (GPL-GNU)
Entana Statistics 2.0.0 (commercial license)
Google Analytics Tracking Module (other Open Source/free)

place will help you negate the effects. Again, establish the baseline, measure,
and create actionable data.
When will the baseline be established?
If you have a brand new site, then establishment of your baseline should be
a part of your design criteria. In other words, design it as if you were adding
an extension. Later, we'll cover some tools that are available, and should be
a part of your site. More than likely if you have an established a site, this is a
bit of a different tack. You will need to ensure that you are safe and secure by
adding in the items that are missing, for instance, a common problem is
leaving Register Globals ON. This could be part of cleanup, and will secure
your site. Once you have done all the right things then you are ready to
establish that snapshot.
Server Security Metrics
What are you going to measure?
You have several items to establish here. Some are technical in nature, and
some are social in nature.
Permissions checked: This is a baseline activity. You will need
to make sure that you set it properly.
Host security: This might require a call to your host. Ask
them how and what they do specically to protect your site.
Some of the common things that are (should be) in place for
sure: rewalls, load balancers, Apache mod_security. If
they cannot tell you these things, get a different host. If you
are hosting your site in-house, then make sure you take the
necessary precautions to protect your data and infrastructure.
This is of paramount importance if you are taking and
accepting credit cards. Security of a server is a full time job.
Another item you will require to gather information on is
patching: When is it done, how is it tested, what are the
critical-path items currently in place on the server.

articles kept up to date via RSS feeds from several different
security sites.
Personal Computing Security Metrics
You probably thought this whole book was about Joomla! security—you're right.
However, this small detour off our main road is very important. Why Personal
Computing Security Metrics?—that is because the Joomla! site is set up from
somewhere, and that somewhere is your desktop.
The clients that visit your site won't be likely to browse it from the connes of their
server's browser. They will be using their desktop or notebook computer. These
devices, which are easily compromised if not protected, can become an attack point
to break into your site.
•
•
•
•
°
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Let’s Get Started
[ 36 ]
While you cannot guarantee the integrity of your visitors' computers, you can
ensure that you are safe. And perhaps you will gain some knowledge about how to
communicate security to your clientele.
Basic protection mechanisms
The author recently switched the anti-virus prevention and detection from a
well-known package to Kapersky (see www.kapersky.com), and it (kapersky)
found three viruses on his machine that the very popular package seemed
to have missed. This is not an endorsement of Kapersky; however, it is a
worthwhile package to consider. It has hourly updates, it has a running
total of new threats discovered, the time to put out a patch, and much more.

°
°
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604