Tracking Extension Vulnerabilities
In the original post that started this group, it was mentioned how not everyone knows where to look for extension vulnerabilities, end user's are rarely aware of all but the largest components that expose them to issues, and there's not a great way to get this information out to 'novice' users.
Let's come up with a way to fix that.
I know of the Joomla Vulnerabilities Wiki, but it doesn't seem to be frequently updated. Even then, end-users aren't likely checking that frequently.
So starting off, how do we monitor for these vulnerabilities in the first place - Secunia, hacker forums, etc? Once found, what are ways that we can improve the system of getting the Vulnerabilities Wiki (or another site) updated? Finally, what's the best way to notify users of that extension?
Originally, I proposed a 'security' extension which can automatically fetch information about any installed extensions from a 3rd party site to report if there are known vulnerabilities (or even version updates). We have a partial system implemented for grabbing version numbers and the hardware to handle it.. but is that the best course of action?
What are your thoughts/suggestions?
Let's come up with a way to fix that.
I know of the Joomla Vulnerabilities Wiki, but it doesn't seem to be frequently updated. Even then, end-users aren't likely checking that frequently.
So starting off, how do we monitor for these vulnerabilities in the first place - Secunia, hacker forums, etc? Once found, what are ways that we can improve the system of getting the Vulnerabilities Wiki (or another site) updated? Finally, what's the best way to notify users of that extension?
Originally, I proposed a 'security' extension which can automatically fetch information about any installed extensions from a 3rd party site to report if there are known vulnerabilities (or even version updates). We have a partial system implemented for grabbing version numbers and the hardware to handle it.. but is that the best course of action?
What are your thoughts/suggestions?
Views: 28
Replies to This Discussion
-
Permalink Reply by Helio Alves on -
I wasn't aware of the Joomla Vulnerabilities wiki, and after a quick look you see that there's nothing happening there and that's probably why users don't check it often. Why not providing an RSS feed for the wiki, developers, administrators and anyone else could subscribe to and as soon as a vulnerability is reported they would be informed. Developers could start working on a patch, administrators could either disable temporarily the 3rd party extension or try to find an work around until patch is available. We could put in place a system that would remove the extension is no patch for the issue is provided after a defined time. But of course the Joomla Vulnerabilities wiki would need to become the place to report Joomla and extensions vulnerabilities.
I think it's a great idea the security extension. This extension should be part of Joomla core, the extension could grab information from the Joomla Vulnerabilities wiki or sites like: www.milw0rm.com and http://osvdb.org/ and then make a detailed report on your security situation.
The extension could go a little further and provide different layers of security, starting with .htaccess, it could apply some standards security measures to block the most common type of exploits to Joomla.
I'm not an expert on security neither on extension development and I don't know how hard it could be to achieve this.
Why Joomla does not uses the same approach as Wordpress when it comes to updates? It would simplify everyone's live, I believe it would reduce the number of successful attacks.
We need to think at the end user that is not always aware of security issues so why not help them a little more with a security extension :) -
-
Permalink Reply by Amy Stephen on
-
Helio - I agree with your comments. Would you be willing to work on a team to help track those vulnerabilities, get word to JED to unpublish the Extension, get word to the Developer and provide support to fix and publish a new release? If we can get that kind of group together, I am very hopeful that JED would consider publishing an RSS feed that users could subscribe to in order to get information needed for upgrades. We just need concerned, committed community members to help.
-
-
Permalink Reply by Thomas Kahl on
-
Hello,
some time ago i thought it would be a good idea to take the JED as a directory for the extensions. Every extension has its ID. It would be great when there would be the possibility to post messages about updates, fixes and problems to the ID of an extension by the developer and the JED-Admins.
Maybe it is possible to subscribe to a list of ID's (means the components you are using). This feed would deliver all important information about updates and vulnerabilities of the extensions used on your site. -
-
Permalink Reply by Helio Alves on
-
Hi Amy,
I'm willing to help, I don't know exactly how and where to start but let me know how you plan to achieve this. I think however that tracking the vulnerabilities and get word to JED to unpublish the extension is only part of the solution and doing it manually could be very time consuming.
We should be able to automatize some processes like gathering information from different sources about extension vulnerabilities and then automatically notify either the JED and the extension developer so the developer would have a couple of days (to be defined) to fix the issue and provide a patch before his extension would be unpublished.
Again, I don't know how hard it would be to automatize these processes but we could simplify team tasks and become more efficient. What do you think? -
-
Permalink Reply by Helio Alves on
-
Hi Thomas,
I think the idea of subscribing only to the components we are using is a good one. Subscribing to the whole wiki RSS feed could easily become a mess since we would get dozens of vulnerabilities and we could get lost and miss the ones that really matter.
But when you say that developers and JED-Admins should be able to post messages about updates, fixes and problems to the ID of the extension, where those messages should appear? Should these messages appear in the JED or in the Joomla Vulnerabilities wiki? I personally think we should centralize the information otherwise it could get spread and lose his purpose. -
-
Permalink Reply by Alex Andreae on -
I have many concerns with making it JED-centric.
1) The JED only lists GPL extensions, which regardless of your beliefs, would leave many extensions and end-users out of the vulnerability list. I'm also not sure of Joomla.org's willingness to moderate a list of extensions that don't adhere to the GPL.
2) The JED doesn't even list all GPL extensions. All of our extensions were unpublished, even though every extension we make is 100% GPL simply because the JED doesn't like us. This includes the Version Verification Tool (which we think should become a necessary extension for any site, especially as it evolves), and would likely include the Security Extension we're talking about above if we're involved.
Not to rail on the JED, but there's still a bit of politics there, and security is something that shouldn't be encumbered by them. -
-
Permalink Reply by Alex Andreae on
-
I'd love some mechanism for automation, but obviously, there'd need to be a bit of human involvement to verify issues and then (especially) verifying patches and removing/updating that list. One of the problems that Joomla's had in the past with security problems is that issues are found, but then never reported as solved. Elin Waring summarizes it best in her post 'Being "The Vendor" for Security Issues'.
Same thing goes with an RSS feed (mentioned below) or a Wiki, is that we can either make them extension specific, version specific, or multiple other ways to narrow it down to make it more relevant to the specific end-user (instead of a mass of threads that people start to ignore, as usual). That's the idea behind my original idea for an extension, is that you can install it so that it monitors the one you have.. but an RSS subscription where you could sign up for just your extensions would be great idea too that I hadn't thought of. -
-
Permalink Reply by Helio Alves on
-
Hi Alex,
I know this is not the place but I will still post it because I am very curious about this component and see what it can do:P
I installed your component Version Verification Tool but I get an error every time I run it, I posted in the forum here: http://www.cmsmarket.com/forum/index.php?f=54&t=463&rb_v=vi...
Do you know what could be?
Thanks -
-
Permalink Reply by Alex Andreae on
-
Yeah, go into the parameters and set "Find Version" to "No". When that's set to Yes, if a file has been modified, it will try to see if that file belonged to an earlier version of Joomla (missed because of a partial upgrade, possibly).
We threw it together quickly to get some ideas out there on how security can be better performed as a component. While we try to increase your memory and timeout limit if Find Version is set to Yes, many server installations don't let the script do this themselves.
A future update will do it differently, either through AJAX call or a more streamlined (less intensive) process for finding different versions.
Thanks -
-
-
I thought it was good to use the ID's of the JED. Not listed extensions could have another number that does not collide with the JED-ID. The big advantage is, that a security database has the link to the JED. If the JED-admins would support the wiki, they could easily add a button to the wiki or RSS, because they can be sure that the ID leads to the correct entries.
-
-
Permalink Reply by Alex Andreae on
-
I agree with that logic then. Tying things into the JED listings is fine, but, obviously, I have issues with JED-specific.
The other thing to make sure of is that if the JED is adding any functionality/ease-of-use to security tracker, that those capabilities aren't lost simply because an extension isn't listed there. -
-
Permalink Reply by Alex Andreae on
-
A great test case that can be used now: Photoblog has just had a security bulletin issued against it on Security Focus. How should we get the word out? What would be the best way? Do you more often log into your admin back end (where a module could alert you of a new vulnerability) or check an RSS feed? Which do you think is more true of a client of yours?
I've never used the component, but the hole is a standard SQL injection one which has nasty results.
http://www.securityfocus.com/bid/36809/exploit
I just created an account on the Joomla Vulnerabilities Wiki and added it to the list. At least until a more robust solution is found we'll do our part to keep that updated. -
© 2012 Created by Amy Stephen.
