What do you do if you are promoting a piece of software which had – partly due to its popularity and partly due to inherent design concepts – several security issues more or less since its initial release?
Make a joint effort with core- and add-on developers to educate the user base and get rid of those issues once and for all?
No, way too much effort. Instead Joomla! activists seem to prefer to come down on anyone who dares to mention those issues like the wrath of God! It is now the third time I came across this type of immature reaction from Joomla! supporters, and I’m really sick about it.
If you are interested in the facts, and a distinctive yet critical point of view, read on. For those of you just wanting to flame me because I dared to mention “security issues” and “Joomla!” in the same sentence, save yourselves some time and proceed directly to the comment form.
The facts
In 2001, the Australian company Miro released its Content Management System Mambo as Open Source. Due to its ease of use it gained great popularity and a large user community. In August 2005, Miro founded the Mambo Foundation in order “to foster the development of the Mambo system and to shelter the project from threats and mis-use” (Wikipedia). However the majority of the developer base didn’t like this move, so they forked a version off under the name of Joomla! and released version 1.0 in September 2005.
As soon as Mambo gained some popularity, there were the first security issues with this system. Secunia lists the first issue in December 2002 – until now they lists almost 50 issues. When in the early days these issues were mostly “general” attacks targeting PHP/SQL environments as such, due to the popularity of Mambo the attacks became more and more specialized. Only a few moths ago there were special virii targeting Mambo installations.
Since Joomla! was based on the Mambo source it inherited both the popularity and the underlying design concept. As a result, Joomla! is as vulnerable to certain attacks as is Mambo. Secunia only lists 17 security issues, but taking into account that Joomla! only exists for a year now that is on average 1.4 vulnerabilities per month!
Most of the issues occurred in 3rd party add-ons to the systems. Again there is a fatal combination of popularity and ease of use. Compared to e.g. Typo3 (3 issues listed on Secunia) with its steep learning curve, it is fairly easy to set up Mambo/Joomla! and start developing extensions for it. This means more enthusiast – and probably not very advanced – developers producing many add-ons which get installed on numerous sites. Considering a certain amount of code-copy paired with an API which was reportedly not developed with security issues in mind results in the situation we have today: a countless number of potentially vulnerable sites and new issues on an almost monthly basis.
The solution
Microsoft got a lot of (well deserved) bashing for neglecting (and even introducing) security issues with Internet Explorer and Outlook (Express). Nobody thought they would be serious when they introduced their security offensive a while back. But today even the strongest Microsoft critics have to acknowledge that the measures seem to work and that patch-by-patch Windows gets more secure. Far from being perfect, but the effort is honest and provides results.
Translated to the Mambo/Joomla! community, the first step would be to acknowledge that there actually IS a problem! Next would be a joint effort to contact all involved developers and make them fix the issues. Less savvy developers need to be consulted and/or their projects adopted by more advanced developers. The goal would be to create a release of core product and add-ons where ALL security issues are addressed. Finally a huge education effort needs to be undertaken to contact every webmaster using the CMS and have him/her upgrade to the secured system. Again, less savvy webmasters should be offered help from the community. This could even be made as a competition, where scouts get awards for finding unsecured sites and securing them.
Once this is done, the core and most of all the API needs to be consolidated (if not re-developed) with security in mind so that the system as a whole is hardened and less prone to attacks. A deliberate change of the API would prevent old add-ons to function with the new, hardened release. This would weed out unmaintained extensions and would force 3rd party developers to make new releases of their products (hopefully) adopting the new security policy.
In the end, Mambo/Joomla! would be a prime example for security-aware community-fostered open source development. In an ideal world, that is.
The reality
Especially Joomla! activists seem to prefer a much easier way: silencing the criticism. For the third time now, I was verbally harassed by Joomla! advocates because I stated basically what I have written above. Two times on WebmasterWorld, and only recently on the German Wikipedia. I think it is safe to assume that voicing my opinion on the English Wikipedia would get me the same results, and I’m pretty certain that sooner or later the same type of reaction will appear in the comments to this text. Hey, Joomla! advocates, as a proof that you have actually read this far, please include the word “etaoin” in your comment.
The common thing to these attacks is that they are pretty personal, trying to discredit me as a person as well as my sources (among others the most respected IT news source in Germany). In the recent case in Wikipedia, another commenter was treated exactly the same way, citing his use of WordPress for his blog as a proof that he is not qualified to speak about Joomla!. What makes the case in Wikipedia so delicate is that the (anonymous) Joomla! advocate tempered with the comments page – which is considered very bad style among the Wikipedia community. Another common trait to these attacks is that there are usually no factual counter-arguments given. Any objective discussion seems almost impossible. The only non-personal argument given is that ‘all issues were in 3rd party components’ and that therefore ‘Joomla! is secure’. Though this might technically be true (Secunia lists 6 vulnerabilities of the core product), it is not giving a carte blanche to Joomla!. In an effort to outsmart me on WebmasterWorld, one Joomla! advocate said:
Are you suggesting Microsoft is liable for every third-party virus transmitted via IE or MS Word?
No, of course Microsoft is not liable. And all the bashing Microsoft got over the years was not due to liability issues, but because they made it too easy for the virus programmers and because they didn’t care, denying that there was a problem at all. Sounds familiar? That’s what the Joomla! promoters do right now. To be even more polarizing: Guns are not evil – the people using the guns are evil.
The implications
Another aspect is that the continuous issues with Mambo/Joomla! are not good for the open source movement as a whole. That’s the lesson Microsoft learned: it’s not the individual virus/spyware/trojan/hijacker author who gets the bad press, it’s Microsoft! Again, translated to the Mambo/Joomla! case, it’s not only the CMS which gets the heat for it, it is Open Source as a whole who is considered to be “dangerous” or “insecure”. Actually by neglecting the issues, by playing them down, you are hurting the reputation of open source and play right into the hands of the anti-open-source movement.
What next?
I doubt that this essay has any implications on the future development of Joomla!. Most likely it will only lead to a new round of Joomla-critics-bashing. I would be pleased to get some distinctive, factual comments from Joomla! supporters. It would be a premiere.
But maybe I have sensitized some existing and/or potential users of Mambo/Joomla! to take security issues seriously. I don’t want them to switch – Mambo/Joomla! is a pretty impressive system, and if it would have been available by the time I chose Typo3 for my company chances would have been good I would have ended with Mambo. I only want them to make an effort towards security. Every Mambo/Joomla! system without vulnerabilities is one step towards a safer WWW.
So, you may now use your flamethrowers.
Hi!
Really good article, but probably a bit too objective 🙂 It’s really a phenomenon. I discussed a lot with people in joomla boards about possible security measures. I always stated the need for a well-defined and secure API for 3rd party plugin developers. The most common reaction was like “it’s already secure”, “the users are responsible for security”, “the plugin developers are to be blamed” and things like that. It’s a pitty – the CMS is really easy to use (unless your requirements differ from standard-cases, then it’s really hard) and would have a big potential, but the developers simply don’t care about their product’s security…
The impact on OSS is also something to take serious. There are lots of good and security-aware alternatives, but it seems that their marketing (if present) reaches the Joomla users…
And of course: etaoin 😉
Andreas Juch Weblog
Joomla und Sicherheit…
Dieses Thema wird scheinbar in Bezug auf Joomla extrem persönlich und emotional behandelt. Computersicherheit und Datenschutz sind zwei Themenbereiche die mich interessieren. Deshalb habe ich beispielsweise auch den Abschnitt über Sicherheit aus der …
Hi there,
an excellent article. I am very familiar with Joomla and Typo3. I agree with your comments. Excellent srticle.
If it is the community that are to blame, then they should educate them. After all, users of the Joomla core ‘safe’ product use the unsafe extensions, whats the point of having a safe core then.
j
Hi,
The security with CMS’s are a known flaw; just I would like to have your opinion about another CMS, PHPNuke. Is it weaker or stronger than Joomla.
Of course, when it comes to security, everything is relative, because there is no such thing as a 100% secure system, actually there are some guys out there that are capable to break anyone of these in a matter of minutes…
technozid » Joomla! Security - the never ending story
[…] See also: Sick of crusading Joomla! advocates and New Joomla! version – and a fresh security start […]
Hi, taken from the wikipedia where I linked to this article from.
* September 16, 2005: Joomla! 1.0.0 [Sunrise] released (re-branded release of Mambo 4.5.2.3 combined with other bug and moderate-level security fixes)
* September 21, 2005: Joomla! 1.0.1 [Sunburst] released (Stability release)
* October 2, 2005: Joomla! 1.0.2 [Sunset] released (Stability release)
* October 14, 2005: Joomla! 1.0.3 [Sunlight] released (Security release – Medium Level Threat fixes issued with this release)
* November 21, 2005: Joomla! 1.0.4 [Sundial] released (Security release – Critical Level Threat fixes issued with this release)
* December 24, 2005: Joomla! 1.0.5 [Sunspot] released (Security release – Medium Level Threat fixes issued with this release)
* January 15, 2006: Joomla! 1.0.6 [Sunscreen] released (Security release – Low Level Threat fixes issued with this release)
* January 15, 2006: Joomla! 1.0.7 [Sunbolt] released (Security release – Critical Level Threat fixes issued with this release)
* February 26, 2006: Joomla! 1.0.8 [Sunshade] released (Security release – Medium Level Threat fixes issued with this release)
* June 05, 2006: Joomla! 1.0.9 [Sunshine] released (Security release – Low Level Threat fixes issued with this release)
* June 25, 2006: Joomla! 1.0.10 [Sundown] released (Security release – Critical Level Threat fixes issued with this release)
* August 29, 2006: Joomla! 1.0.11 [Sunbow] released (Security release – Critical Level Threat fixes issued with this release)
* December 25, 2006: Joomla! 1.0.12 [Sunfire] released (Stability release – Low Level Threat fixes issued with this release)
* October 12, 2006: Joomla! 1.5 [BETA] released.
Now this looks like a community providing security patches in a open, upfront way. what evidence, apart from hear say do you have for the joomla! community not taking security seriously. I’m Looking into joomla! so interested in your experiences.
PS I won’t be quoting your daft word.
Just what have you contributed to the open source community? I’d be interested indeed?
Pundits are a dime a dozen. Contributors are not.
Contributors to open source are valued, ill-informed critics who deride the efforts of volunteers are plain ignorant.
Do some research before you post FUD in future. The United Nations has no issue with Joomla and security. The US Army uses Joomla (after passing rigid security tests). If you want security, first secure your server, don’t blame the CMS.
Oh, by the way, when was the last time your spoke with a Joomla/Mambo developer about your concerns. There are forums for sharing concens.
Do yourself a favor and play fair instead of acting the fool.
Hi Jon. Thank you for leaving at least a name. I would have appreciated an email address too. So I hope you read my short answer here – I would have preferred a longer answer by email. I consider myself a contributor to various open source projects for many years now. But even if I would not, the permission to issue criticism can not and must not be linked to the fact whether you contribute or not. In the very post you commented on, I only secondarily criticized the (back then) lax approach to security in Joomla/Mambo. From what I have seen so far this position has shifted within the last 9 months, and you might have noticed that I not commented on it again since then. My primary focus was a social one: that criticism of any form gets rudely bashed down by supporters. This I have not seen on any other open source project I use or contribute to. It seemed to me that the Joomla supporters were very fierce against criticism, more fiercy than any others. As you ,ight also have read, I made various suggestions of how security – on a social level – might be improved. And from what I have seen so far many of my suggestions have been implemented since then (though I do not pride me that I was the cause – others simply had the same ideas).
And just form completion: I just checked Secunia again, and they report now 28 security advisories for Joomla and 7 for Typo3.
I’ll take you back to my posting before. If you look at Secunia you will see the reports are largely issues to do with Joomla/Mambo 3pd projects, not the core projects at all. And moreover, the Joomla team has re-written the codebase (now Joomla 1.5 at beta 2). Which includes FTP layering ( a further example of how seriously they take security).
Server security is the primary reason followed close by a hole in PHP for most known issues for a range of popular scripts. From what I see of the Joomla folks, they welcome security advisories so they can take the appropriate action (if needed). Mambo, I’ve long since dropped as they’re not as active.
So yes I concluded that this article is FUD based on the facts which are available, had you done your research properly.
What you charge Joomla of doing, you are doing right here yourself. Put yourself up as an expert with flawed arguments and you will be shot down. I work in government on matters pertaining to high level security and Joomla passes all the necessary tests.
Email supplied, as it was last time.
Interesting article and Joomla has gotten better.
I see you’re using WordPress 2.7.1
WordPress Version 2.8.5 is the most recent at time of this comment and includes some security fixes.
Thanks for the heads up.
Jon MacGregor – it’s been some months since you posted – and you are still wrong. Joomla security is still seriously flawed. I understand (thanks Google) that you have a serious emotional investment in defending Joomla. And clearly you have difficulty understanding the meaning of Open Source. But kudos to the work you and your fellow genius-without-the-work colleagues put my way. Your failures are our gains.
Travis – apropos of what? Have you washed your hands since you plucked that comment out of your fundamental? Do you think having the latest is the most secure? That having security fixes means a version is insecure? That thinking might involve using your brain before shooting your mouth? Joomla has, at best, got less worse. Truth through facts not wishful thinking. Following a “popular” thing doesn’t make you popular, or right (sigh). Bad monkey.- now we have to clean the cage walls, again.
To the author – etaoin 🙂 In Open Source we value those that criticize ++1, and thanks for putting up with the shit-throwers. Some one needs to call a spade a fucking spade sometimes. Maybe Joomla will get it’s act together one day, but not yet – it appears to be to firmly committed to the get-rich-quick crowd, Despite constant claims they will upgrade the quality of the extensions, and close down sites using Joomla in the name to sell crap – the opposite is happening. Could that have something to do with the trying to “dumb-down” Mambo (a project that has standards).
To the Joomla fanbois – Joomla! is terrific – best thing to happen to computing since Microsoft became popular. So good in fact that I’ll be naming my next boat “Joomla!” . Joomla is popular because it sells the same old con – you’d don’t need to learn a thing, you can get rich quick. Witness teh number of Joomla! designers that canna spel. Tomorrow we’ll line up all the people who can code or design and shoot them – then the trailer-park web “masters” can rool the world. Next week we’ll launch learning you just sprinkle on your morning bowl of bachelor chow (sigh). Show me one good site made with Joomla# (tried Joomla.org, Linux.com already) and I’ll show you a site that is not standards compliant, doesn’t decompose gracefully, is hard to read and navigate, un-viewable on a mobile device, won’t load quickly on a slow connection, can’t be navigated with a browser for the blind, and *is* insecure. Now bring on the hordes of Joomla# lovers who say none of those things (sic) are important (just to prove evolution is *not* horizontal). As for the grossly distorted use of the term “Open Source”… ever bother to read the actual code in your lovely, for sale, templates? Just below where you fanbois write your copyright tag is the line about GPL – have you read that far? Or did your lips get sore (sigh). Back to ffffFacebook and your “desiging” (autistic faecal finger painting).
Cheers – better offensive than ignorant.
—
If 16 million people believe a stupid thing – it’s still stupid
Andreas – Datenschutz und Sicherheit sind persönlich für mich. Ein “Sicherheitsexperte” sollten vorsichtig sein. Ihr Fachwissen getestet werden kann. Joomla hat keine ernsthaften Sicherheitsprobleme? Wo ist Ihre Website jetzt (seufz)?
Entschuldigung für die deutsch-Lautsprecher – es ist nicht meine Muttersprache.
etaoin