Version Verification Tool
A while back, we were working on a Joomla site that was at 1.5.8 and we were tasked with upgrading it to 1.5.11 (current at the time). Not knowing the back-end of the site, we did our due-diligence and diff'd the full 1.5.8 version against the current site to make sure we weren't going to trample any core-mods to the site.
Then we were hit with the most gut-wrenching feeling. We found that the authentication plugin had been hacked to send any user's credential, upon login, to an unknown email address. We weren't responsible for the site when it happened, but still weren't excited to tell the client. The best we could trace it to was a hack that occurred while a version of Joomla <=1.5.5 was installed. No updates to the authentication plugin took place over 1.5.5 to 1.5.8 so it was never over-ridden, and unfortunately not caught until we got there.
This is the same hack that occurred on JoomSuite/MightyExtensions. Their site's not up now, but here's a copy of the post from RocketTheme.
Shortly after, we created our own script for verifying a Joomla version. Not just checking the VERSION.php file, but checking each individual files MD5 hash to ensure that it was the original. We run this before and after any upgrades, and occasionally to give us a good feeling in our stomach.
After being tapped to run the security group, this weekend, we made the Version Verification Tool into a full Joomla Component to be used by anyone.
I'd love feedback on it, but eventually, we'd also like to extend this beyond merely verifying Joomla and have it verify individual components, plugins, or modules. To do that though, we'd need developer interest in coming up with a system that devs would buy in on.
So what are your thoughts? We have a script to generate the file listing and MD5's in an XML format for easy reading. After that though, should these files reside in a central location, an XML-RPC method developed to grab them automatically, should the user have to find them, etc. What's best for both you and the end-user? Is there something out there already that does this that we've missed (wouldn't be the first time).
Feel free to check out the Version Verification Tool (it's free and GPL) for now. We'll be adding more features as we get more feedback.
Then we were hit with the most gut-wrenching feeling. We found that the authentication plugin had been hacked to send any user's credential, upon login, to an unknown email address. We weren't responsible for the site when it happened, but still weren't excited to tell the client. The best we could trace it to was a hack that occurred while a version of Joomla <=1.5.5 was installed. No updates to the authentication plugin took place over 1.5.5 to 1.5.8 so it was never over-ridden, and unfortunately not caught until we got there.
This is the same hack that occurred on JoomSuite/MightyExtensions. Their site's not up now, but here's a copy of the post from RocketTheme.
Shortly after, we created our own script for verifying a Joomla version. Not just checking the VERSION.php file, but checking each individual files MD5 hash to ensure that it was the original. We run this before and after any upgrades, and occasionally to give us a good feeling in our stomach.
After being tapped to run the security group, this weekend, we made the Version Verification Tool into a full Joomla Component to be used by anyone.
I'd love feedback on it, but eventually, we'd also like to extend this beyond merely verifying Joomla and have it verify individual components, plugins, or modules. To do that though, we'd need developer interest in coming up with a system that devs would buy in on.
So what are your thoughts? We have a script to generate the file listing and MD5's in an XML format for easy reading. After that though, should these files reside in a central location, an XML-RPC method developed to grab them automatically, should the user have to find them, etc. What's best for both you and the end-user? Is there something out there already that does this that we've missed (wouldn't be the first time).
Feel free to check out the Version Verification Tool (it's free and GPL) for now. We'll be adding more features as we get more feedback.
Views: 5
Replies to This Discussion
-
Permalink Reply by Alex Andreae on -
From Brian Teeman's recent blog post about "Help my Joomla web-site has been hacked", one of the comments pointed to the Eyesight tool, which I was not aware of before.
http://sourceforge.net/projects/eyesite/files/
We'll be investigating more, but wanted to point it out here as it seems like a great tool from the description and PDF documentation. -
-
Permalink Reply by Mark W. Bender on -
Eyesight certainly looks like it is a "must have" on any Joomla website!
-
© 2012 Created by Amy Stephen.
