Tracking Extension Vulnerabilities
In the original post that started this group, it was mentioned how not everyone knows where to look for extension vulnerabilities, end user's are rarely aware of all but the largest components that expose them to issues, and there's not a great way to get this information out to 'novice' users.
Let's come up with a way to fix that.
I know of the Joomla Vulnerabilities Wiki, but it doesn't seem to be frequently updated. Even then, end-users aren't likely checking that frequently.
So starting off, how do we monitor for these vulnerabilities in the first place - Secunia, hacker forums, etc? Once found, what are ways that we can improve the system of getting the Vulnerabilities Wiki (or another site) updated? Finally, what's the best way to notify users of that extension?
Originally, I proposed a 'security' extension which can automatically fetch information about any installed extensions from a 3rd party site to report if there are known vulnerabilities (or even version updates). We have a partial system implemented for grabbing version numbers and the hardware to handle it.. but is that the best course of action?
What are your thoughts/suggestions?
Let's come up with a way to fix that.
I know of the Joomla Vulnerabilities Wiki, but it doesn't seem to be frequently updated. Even then, end-users aren't likely checking that frequently.
So starting off, how do we monitor for these vulnerabilities in the first place - Secunia, hacker forums, etc? Once found, what are ways that we can improve the system of getting the Vulnerabilities Wiki (or another site) updated? Finally, what's the best way to notify users of that extension?
Originally, I proposed a 'security' extension which can automatically fetch information about any installed extensions from a 3rd party site to report if there are known vulnerabilities (or even version updates). We have a partial system implemented for grabbing version numbers and the hardware to handle it.. but is that the best course of action?
What are your thoughts/suggestions?
Views: 28
Replies to This Discussion
-
Permalink Reply by C O'Shea on -
The list on the wiki has caused a few upsets over having an appearance on the list, and a few developers jumping hoops to be delisted with their fixed notices. but it has bought to the attention of the community that such things are taken seriously, if reported/told/gossiped about
-
-
Permalink Reply by Amy Stephen on
-
I assume the list doesn't have anything on it that isn't already listed on Secunia? I suppose it makes sense to delist a year after the problem is resolved. People need the list and they don't always upgrade right away, so, the items have to be listed for awhile.
-
-
Permalink Reply by Alex Andreae on -
I agree about a period of time to show up on the list. While it may look bad for the developer, it's one of those cases where it's more important to the end-user to know about possible vulnerabilities. A 6 month - 1 year timeframe seems reasonable to keep it up there if one is found.
Not that a dev would see it this way, but it also gives them a chance to show that support and vulnerabilities are taken seriously. Since the Wiki says when/where an update is available, that's a positive thing. Security problems happen, and sometimes in the strangest ways (they're not all the standard "didn't sanitize value"). The sh404 vulnerabilitiy that Jeff Channel found was very interesting to me, and, in my opinion not one the dev would have immediately thought of (though could have been prevented).
Either way, short story, I hope the devs that "jumped through hoops" and had their products de-listed had extensions listed that were vulnerable looong ago. -
-
Permalink Reply by Jeff Channell on -
It's 2 L's, Alex. :)
The Vulnerable Extension list is in NO WAY complete at all. Has anyone seen milw0rm.com? Plenty of Joomla vulnerabilities there, even though it's no longer being updated. Not to mention only a portion of the ones I've discovered & released are represented on the list. -
-
Permalink Reply by C O'Shea on
-
Agreed - although unless someone religiously sits there and reads all the different sources that would be a full time job.
The list is being updated with alerts as they are received, most of the recent ones coming from the original post, but it does seem strange that despite the obvious contribution, not many people are reporting these vulnerabilities.
The developers who kicked up the most fuss are the ones who said their extensions were never released (so how did milworm know about them?). The others seem to be demanding the removal as they have been 'fixed'. As Amy points out, just because they are fixed by the developer, doesnt mean the user has fixed it.
Jeff Channell said:It's 2 L's, Alex. :)
The Vulnerable Extension list is in NO WAY complete at all. Has anyone seen milw0rm.com? Plenty of Joomla vulnerabilities there, even though it's no longer being updated. Not to mention only a portion of the ones I've discovered & released are represented on the list. -
-
Permalink Reply by Jeff Channell on
-
As I see it, it's not a Joomla problem as much as it is a developer problem. No matter what platform you're developing for, you HAVE to sanitize user input. ALL of it. For crying out loud, mysql_real_escape_string() and htmlentities() will go a REALLY long way.
This is in no way the beginning or the end. This is going to be an ongoing problem for quite a while.
'>"/body> -
-
Permalink Reply by Jeff Channell on
-
That's awesome. That nonsense at the bottom was originally only 4 characters, and I got an extra escaped body tag out of it. :)
See? Sanitize all input.
'>"/body> -
-
Permalink Reply by Marcos Peebles on -
Look what google has come up with:
http://ow.ly/E6wa
webmaster tools informing us... Nice!
This kinda solves the problem "people don't know when their sites/components" are vulnerable, now up to us to communicate the versions to google -
-
Permalink Reply by C O'Shea on
-
and of course as they say - how do people get notified - ? not everyone is signed on to google webmaster all the time (if they are registered with it all), or via twits or whatever. it reads as though they will be crawling and actively searching vulnerable extensions. do they tell every developer or just the platform providor?
Marcos Peebles said:Look what google has come up with:
http://ow.ly/E6wa
webmaster tools informing us... Nice!
This kinda solves the problem "people don't know when their sites/components" are vulnerable, now up to us to communicate the versions to google -
-
-
Marcos Peebles said:Look what google has come up with:
http://ow.ly/E6wa
This kinda solves the problem "people don't know when their sites/components" are vulnerable, now up to us to communicate the versions to google
Wow! That's a good use of all of that data gathered by robots. It really does help take care of reporting needs. The one thing that we have not talked about is all of the JS and class libraries used by extensions, sometimes even just used by site developers without creating an extension. I've wondered how you would begin to keep track of all of that code base. This is a step, at least, towards a centralized listing that could be maintained. Almost creepy. More Google dominance. Eek. Thanks for sharing. -
-
-
Dan Knauss said:Pull the Joomla feed from NIST into the first admin module on the Joomla backend, or create some kind of official combined feed that incorporates sources like that.
That is a very good idea, Dan. Building on that it would be nice to next identify which ones related to the installed software. I think you are on to something. -
-
Permalink Reply by Marcos Peebles on
-
The Vulnerable Extension List procedure explained
Nice explanations/work/effort from Claire Mandville and the VEL (Vulnerable Extension List) on Joomla community site.
http://community.joomla.org/featured-articles/1110-the-vel-reportin...
*VEL team consists of mandville, lafrance, PhilD, FW116, and JeffChannell -
- ‹ Previous
- 1
- 2
- 3
- 4
- Next ›
© 2012 Created by Amy Stephen.
