What do you do if you are promoting a piece of software which had – partly due to its popularity and partly due to inherent design concepts – several security issues more or less since its initial release?
Make a joint effort with core- and add-on developers to educate the user base and get rid of those issues once and for all?
No, way too much effort. Instead Joomla! activists seem to prefer to come down on anyone who dares to mention those issues like the wrath of God! It is now the third time I came across this type of immature reaction from Joomla! supporters, and I’m really sick about it.
If you are interested in the facts, and a distinctive yet critical point of view, read on. For those of you just wanting to flame me because I dared to mention “security issues” and “Joomla!” in the same sentence, save yourselves some time and proceed directly to the comment form.
In 2001, the Australian company Miro released its Content Management System Mambo as Open Source. Due to its ease of use it gained great popularity and a large user community. In August 2005, Miro founded the Mambo Foundation in order “to foster the development of the Mambo system and to shelter the project from threats and mis-use” (Wikipedia). However the majority of the developer base didn’t like this move, so they forked a version off under the name of Joomla! and released version 1.0 in September 2005.
As soon as Mambo gained some popularity, there were the first security issues with this system. Secunia lists the first issue in December 2002 – until now they lists almost 50 issues. When in the early days these issues were mostly “general” attacks targeting PHP/SQL environments as such, due to the popularity of Mambo the attacks became more and more specialized. Only a few moths ago there were special virii targeting Mambo installations.
Since Joomla! was based on the Mambo source it inherited both the popularity and the underlying design concept. As a result, Joomla! is as vulnerable to certain attacks as is Mambo. Secunia only lists 17 security issues, but taking into account that Joomla! only exists for a year now that is on average 1.4 vulnerabilities per month!
Most of the issues occurred in 3rd party add-ons to the systems. Again there is a fatal combination of popularity and ease of use. Compared to e.g. Typo3 (3 issues listed on Secunia) with its steep learning curve, it is fairly easy to set up Mambo/Joomla! and start developing extensions for it. This means more enthusiast – and probably not very advanced – developers producing many add-ons which get installed on numerous sites. Considering a certain amount of code-copy paired with an API which was reportedly not developed with security issues in mind results in the situation we have today: a countless number of potentially vulnerable sites and new issues on an almost monthly basis.
Microsoft got a lot of (well deserved) bashing for neglecting (and even introducing) security issues with Internet Explorer and Outlook (Express). Nobody thought they would be serious when they introduced their security offensive a while back. But today even the strongest Microsoft critics have to acknowledge that the measures seem to work and that patch-by-patch Windows gets more secure. Far from being perfect, but the effort is honest and provides results.
Translated to the Mambo/Joomla! community, the first step would be to acknowledge that there actually IS a problem! Next would be a joint effort to contact all involved developers and make them fix the issues. Less savvy developers need to be consulted and/or their projects adopted by more advanced developers. The goal would be to create a release of core product and add-ons where ALL security issues are addressed. Finally a huge education effort needs to be undertaken to contact every webmaster using the CMS and have him/her upgrade to the secured system. Again, less savvy webmasters should be offered help from the community. This could even be made as a competition, where scouts get awards for finding unsecured sites and securing them.
Once this is done, the core and most of all the API needs to be consolidated (if not re-developed) with security in mind so that the system as a whole is hardened and less prone to attacks. A deliberate change of the API would prevent old add-ons to function with the new, hardened release. This would weed out unmaintained extensions and would force 3rd party developers to make new releases of their products (hopefully) adopting the new security policy.
In the end, Mambo/Joomla! would be a prime example for security-aware community-fostered open source development. In an ideal world, that is.
Especially Joomla! activists seem to prefer a much easier way: silencing the criticism. For the third time now, I was verbally harassed by Joomla! advocates because I stated basically what I have written above. Two times on WebmasterWorld, and only recently on the German Wikipedia. I think it is safe to assume that voicing my opinion on the English Wikipedia would get me the same results, and I’m pretty certain that sooner or later the same type of reaction will appear in the comments to this text. Hey, Joomla! advocates, as a proof that you have actually read this far, please include the word “etaoin” in your comment.
The common thing to these attacks is that they are pretty personal, trying to discredit me as a person as well as my sources (among others the most respected IT news source in Germany). In the recent case in Wikipedia, another commenter was treated exactly the same way, citing his use of WordPress for his blog as a proof that he is not qualified to speak about Joomla!. What makes the case in Wikipedia so delicate is that the (anonymous) Joomla! advocate tempered with the comments page – which is considered very bad style among the Wikipedia community. Another common trait to these attacks is that there are usually no factual counter-arguments given. Any objective discussion seems almost impossible. The only non-personal argument given is that ‘all issues were in 3rd party components’ and that therefore ‘Joomla! is secure’. Though this might technically be true (Secunia lists 6 vulnerabilities of the core product), it is not giving a carte blanche to Joomla!. In an effort to outsmart me on WebmasterWorld, one Joomla! advocate said:
Are you suggesting Microsoft is liable for every third-party virus transmitted via IE or MS Word?
No, of course Microsoft is not liable. And all the bashing Microsoft got over the years was not due to liability issues, but because they made it too easy for the virus programmers and because they didn’t care, denying that there was a problem at all. Sounds familiar? That’s what the Joomla! promoters do right now. To be even more polarizing: Guns are not evil – the people using the guns are evil.
Another aspect is that the continuous issues with Mambo/Joomla! are not good for the open source movement as a whole. That’s the lesson Microsoft learned: it’s not the individual virus/spyware/trojan/hijacker author who gets the bad press, it’s Microsoft! Again, translated to the Mambo/Joomla! case, it’s not only the CMS which gets the heat for it, it is Open Source as a whole who is considered to be “dangerous” or “insecure”. Actually by neglecting the issues, by playing them down, you are hurting the reputation of open source and play right into the hands of the anti-open-source movement.
I doubt that this essay has any implications on the future development of Joomla!. Most likely it will only lead to a new round of Joomla-critics-bashing. I would be pleased to get some distinctive, factual comments from Joomla! supporters. It would be a premiere.
But maybe I have sensitized some existing and/or potential users of Mambo/Joomla! to take security issues seriously. I don’t want them to switch – Mambo/Joomla! is a pretty impressive system, and if it would have been available by the time I chose Typo3 for my company chances would have been good I would have ended with Mambo. I only want them to make an effort towards security. Every Mambo/Joomla! system without vulnerabilities is one step towards a safer WWW.
So, you may now use your flamethrowers.