Joomla 1.5.14 has been released. This release contains fixes for two material bugs that were introduced in version 1.5.13 and one low level security issue. The issue is with the mailto component. In com_mailto, it was possible to bypass timeout protection against sending automated emails. It has been eight days since Joomla 1.5.13 was released on July 22, 2009.

admin | Joomla News, Joomla Security | 07 31st, 2009 | No Comments »

Joomla 1.5.12 has been released with a number of bug fixes and three moderate-level security fixes. It has been less than a month since Joomla 1.5.11 was released on June 3, 2009.

Apart from the security fixes, this release contains an important upgrade to TinyMCE v 3.2.4.1.

Download Joomla 1.5.12 (Full package)

Download Joomla 1.5.11 > 1.5.12 update package

For more details and instructions, logon to Joomla.org

admin | Joomla News, Joomla Security | 07 1st, 2009 | No Comments »

Joomla is undoubtedly one of the best CMS available in the market. As more and more websites have started using Joomla, its important that the site is configured properly to prevent any security compromises. I have compiled 10 security tips to secure your joomla website.

1. Proper Hosting Environment
   A properly configured server is highly recommended for your joomla website. Host your site on a server that runs PHP in CGI mode with su_php. This means that PHP runs under your own account user instead of the global Apache user and you don’t need to set insecure global permissions like CHMOD of 777.

   a. Set register_globals OFF
   b. Disable allow_url_fopen
   c. Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
   d. Don’t use PHP safe_mode

2. Change the Default Database Prefix (jos_)
   While installation, change the default database prefix to something random. This will prevent most of the SQL injection attacks as hackers try to retrive superadmin details from jos_users table.
3. Disable FTP Layer
   While installation, dont enable the FTP layer as it opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. FTP layer is not required if your hosting is secured and configured properly for Joomla.
4. Change superadministrator username
   After installation, change the username for the super-administrator. By default, its admin. So change it something like ravi.chamria so that the username/password combination becomes difficult to guess or crack.
5. Strong password
   Always use strong password for the administrator accounts. An example of strong password is E@^M!$<9@k. You can use sites like www.strongpasswordgenerator.com to generate a strong password.

   A good addition is to password protect the administrator folder. In apache web server, you can do this htaccess file or in cpanel, you can use Password Protected Directory option to setup a password. This will add another layer of username/password before someone reaches your Joomla admin details. Needless to say, have this password different from Joomla admin password.

6. Enable SEF URLs
   Most hackers use the Google inurl: command to search for a vulnerable exploit. So enable SEF urls from site configuration if you are using Joomla 1.5. You can also use extensions like SH404SEF for both Joomla 1.0 and Joomla 1.5. This will prevent hackers from finding the exploits as well as benefit you in SEO perspective.
7. Upgrade to latest release of Joomla
   Always upgrade to the latest release of Joomla as soon as possible. The current release is 1.5.11. You can subscribe to http://feeds.joomla.org/JoomlaSecurityNews or our blog feeds http://feeds2.feedburner.com/joomlainblog to get updates about the latest security releases.

   Always download Joomla! from official sites, such as the Joomla! Forge, and check the MD5 hash

8. Third party extensions
   There are more than 4000 extensions available for Joomla many of which are non-commercial. But dont take this as an opportunity to install unnecessary extensions on your website. Remember that most hacking attempts occur due to vulnerability in these extensions. So, always use extensions which are popular, has strong community backing and development process.
9. Proper file/folder permissions
   The proper file/folder permissions for your joomla website is:
   * PHP files: 644
   * Config files: 666
   * Other folders: 755

   You can CHMOD the files and folders using your FTP client.

10. Setup a backup and recovery process
    Always rely on a strong backup and recovery protocol for your live website. Its not just hacking that may compromise your website but other factors like a faulty upgrade or extension install, hardware failure, hosting provider issues. You can use JoomlaPack, a non-commercial component native for both Joomla 1.0 and 1.5 for backup.

admin | Joomla Development, Joomla Security | 06 6th, 2009 | 3 Comments »

Joomla has announced the release of Joomla 1.5.11 [Vea]. This is a security release and users are strongly encouraged to upgrade immediately.

This release contains 26 bug fixes, two moderate-level security fixes and one low-level security fix. It has been 11 weeks since Joomla 1.5.10 was released on March 28, 2009.

You can download the Joomla 1.5.11 Full Package from here.

You can download the Upgrade package here.

admin | Joomla Development, Joomla Security | 06 3rd, 2009 | 1 Comment »