Alex Andreae's Discussions
What's your approach to starting a new extension?
37 Replies
We create a lot of extensions. Most are small-time plugins or modules for clients, but we do the larger component releases every few months (or try to at least).Since there is a lot of 'required, but…Continue
Tags: development
Started this discussion. Last reply by Amy Stephen Oct 18, 2009.
Alex Andreae's Page
Latest Activity
Marcos Peebles replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
The Vulnerable Extension List procedure explained
Nice explanations/work/effort from Claire Mandville and the VEL (Vulnerable Extension List) on Joomla community…
Amy Stephen replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
That is a very good idea, Dan. Building on that it would be nice to next identify which ones related to the installed software. I think you are on to something.
Amy Stephen replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
Wow! That's a good use of all of that data gathered by robots. It really does help take care of reporting needs. The one thing that we have not talked about is all of the JS and class libraries used by extensions, sometimes even just used by…
C O'Shea replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
and of course as they say - how do people get notified - ? not everyone is signed on to google webmaster all the time, or via twits or whatever. it reads as though they will be crawling and actively searching vulnerable extensions. do they tell…
Marcos Peebles replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
Look what google has come up with:
http://ow.ly/E6wa
webmaster tools informing us... Nice!
Jeff Channell replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
That's awesome. That nonsense at the bottom was originally only 4 characters, and I got an extra escaped body tag out of it. :)
See? Sanitize all input.
'>"<</body>
Jeff Channell replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
As I see it, it's not a Joomla problem as much as it is a developer problem. No matter what platform you're developing for, you HAVE to sanitize user input. ALL of it. For crying out loud, mysql_real_escape_string() and htmlentities() will…
C O'Shea replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
Agreed - although unless someone religiously sits there and reads all the different sources that would be a full time job.
The list is being updated with alerts as they are received, most of the recent ones coming from the original post, but it does…
Jeff Channell replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
It's 2 L's, Alex. :)
The Vulnerable Extension list is in NO WAY complete at all. Has anyone seen milw0rm.com? Plenty of Joomla vulnerabilities there, even though it's no longer being updated. Not to mention only a portion of the ones…
Alex Andreae replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
I agree about a period of time to show up on the list. While it may look bad for the developer, it's one of those cases where it's more important to the end-user to know about possible vulnerabilities. A 6 month - 1 year timeframe seems…
Amy Stephen replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
I assume the list doesn't have anything on it that isn't already listed on Secunia? I suppose it makes sense to delist a year after the problem is resolved. People need the list and they don't always upgrade right away, so, the items…
C O'Shea replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
The list on the wiki has caused a few upsets over appearing on the list, and a few developers jumping hoops to be delisted with their fixed notices. but it has bought to the attention of the community that such things are taken seriously, if…
Amy Stephen replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
It appears that the project is now maintaining a Wiki resource for vulnerable extensions. This is a very good start. I am still hopeful to see this eventually come out of JED where it can be RSS fed. Good work to the J! team!
C O'Shea replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
the list you mentioned is being updated, from PhilD list, but as with everything, unless someone dedicates the time to go through every security forum release, only the community can be relied on to report bad extensions
Amy Stephen replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
Geoff can say otherwise, but I see no reason to test the vulnerability. If it's on Secunia - or another reputable service - we have to act. The ultimate conclusion might be convincing Secunia they are wrong, but the mere existence of the…
Amy Stephen replied to Alex Andreae's discussion 'Tracking Extension Vulnerabilities' in the group Security
It is standard operating procedure for free software projects to withhold vulnerabilities until there is a fix to avoid putting targets on community member Web sites.
In Joomla! core, the same is true. Information is withheld until there is a…
Profile Information
- Please share a bit about your Joomla! Experience and yourself. The more information you provide the quicker we will be able to process your membership.
- Owner of SourceCoast Web Development which makes multiple GPL Joomla extensions, including JFBConnect, the powerful Joomla Facebook integration component.
- Business Web site
- http://joomla-facebook.com
Comment Wall (2 comments)
- At 11:15am on January 9, 2010,
Amy Stephen said…
- Happy Birthday!
- At 1:16am on September 30, 2009,
- I take it you came with Melissa? :)
It's very cool to see your partnership with Joomla! and the business sense you both have. I will be sponging knowledge from you both.
Love your discussions, too. Thanks for joining us!
© 2012 Created by Amy Stephen.
