If you are interested in the facts, and a distinctive yet critical point of view, read on. For those of you just wanting to flame me because I dared to mention “security issues” and “Joomla!” in the same sentence, save yourselves some time and proceed directly to the comment form.

The facts
In 2001, the Australian company Miro released its Content Management System Mambo as Open Source. Due to its ease of use it gained great popularity and a large user community. In August 2005, Miro founded the Mambo Foundation in order “to foster the development of the Mambo system and to shelter the project from threats and mis-use” (Wikipedia). However the majority of the developer base didn’t like this move, so they forked a version off under the name of Joomla! and released version 1.0 in September 2005.
As soon as Mambo gained some popularity, there were the first security issues with this system. Secunia lists the first issue in December 2002 – until now they lists almost 50 issues. When in the early days these issues were mostly “general” attacks targeting PHP/SQL environments as such, due to the popularity of Mambo the attacks became more and more specialized. Only a few moths ago there were special virii targeting Mambo installations.
Since Joomla! was based on the Mambo source it inherited both the popularity and the underlying design concept. As a result, Joomla! is as vulnerable to certain attacks as is Mambo. Secunia only lists 17 security issues, but taking into account that Joomla! only exists for a year now that is on average 1.4 vulnerabilities per month!
Most of the issues occurred in 3rd party add-ons to the systems. Again there is a fatal combination of popularity and ease of use. Compared to e.g. Typo3 (3 issues listed on Secunia) with its steep learning curve, it is fairly easy to set up Mambo/Joomla! and start developing extensions for it. This means more enthusiast – and probably not very advanced – developers producing many add-ons which get installed on numerous sites. Considering a certain amount of code-copy paired with an API which was reportedly not developed with security issues in mind results in the situation we have today: a countless number of potentially vulnerable sites and new issues on an almost monthly basis.

The solution
Microsoft got a lot of (well deserved) bashing for neglecting (and even introducing) security issues with Internet Explorer and Outlook (Express). Nobody thought they would be serious when they introduced their security offensive a while back. But today even the strongest Microsoft critics have to acknowledge that the measures seem to work and that patch-by-patch Windows gets more secure. Far from being perfect, but the effort is honest and provides results.
Translated to the Mambo/Joomla! community, the first step would be to acknowledge that there actually IS a problem! Next would be a joint effort to contact all involved developers and make them fix the issues. Less savvy developers need to be consulted and/or their projects adopted by more advanced developers. The goal would be to create a release of core product and add-ons where ALL security issues are addressed. Finally a huge education effort needs to be undertaken to contact every webmaster using the CMS and have him/her upgrade to the secured system. Again, less savvy webmasters should be offered help from the community. This could even be made as a competition, where scouts get awards for finding unsecured sites and securing them.
Once this is done, the core and most of all the API needs to be consolidated (if not re-developed) with security in mind so that the system as a whole is hardened and less prone to attacks. A deliberate change of the API would prevent old add-ons to function with the new, hardened release. This would weed out unmaintained extensions and would force 3rd party developers to make new releases of their products (hopefully) adopting the new security policy.
In the end, Mambo/Joomla! would be a prime example for security-aware community-fostered open source development. In an ideal world, that is.

The reality
Especially Joomla! activists seem to prefer a much easier way: silencing the criticism. For the third time now, I was verbally harassed by Joomla! advocates because I stated basically what I have written above. Two times on WebmasterWorld, and only recently on the German Wikipedia. I think it is safe to assume that voicing my opinion on the English Wikipedia would get me the same results, and I’m pretty certain that sooner or later the same type of reaction will appear in the comments to this text. Hey, Joomla! advocates, as a proof that you have actually read this far, please include the word “etaoin” in your comment.
The common thing to these attacks is that they are pretty personal, trying to discredit me as a person as well as my sources (among others the most respected IT news source in Germany). In the recent case in Wikipedia, another commenter was treated exactly the same way, citing his use of WordPress for his blog as a proof that he is not qualified to speak about Joomla!. What makes the case in Wikipedia so delicate is that the (anonymous) Joomla! advocate tempered with the comments page – which is considered very bad style among the Wikipedia community. Another common trait to these attacks is that there are usually no factual counter-arguments given. Any objective discussion seems almost impossible. The only non-personal argument given is that ‘all issues were in 3rd party components’ and that therefore ‘Joomla! is secure’. Though this might technically be true (Secunia lists 6 vulnerabilities of the core product), it is not giving a carte blanche to Joomla!. In an effort to outsmart me on WebmasterWorld, one Joomla! advocate said:

Are you suggesting Microsoft is liable for every third-party virus transmitted via IE or MS Word?

No, of course Microsoft is not liable. And all the bashing Microsoft got over the years was not due to liability issues, but because they made it too easy for the virus programmers and because they didn’t care, denying that there was a problem at all. Sounds familiar? That’s what the Joomla! promoters do right now. To be even more polarizing: Guns are not evil – the people using the guns are evil.

The implications
Another aspect is that the continuous issues with Mambo/Joomla! are not good for the open source movement as a whole. That’s the lesson Microsoft learned: it’s not the individual virus/spyware/trojan/hijacker author who gets the bad press, it’s Microsoft! Again, translated to the Mambo/Joomla! case, it’s not only the CMS which gets the heat for it, it is Open Source as a whole who is considered to be “dangerous” or “insecure”. Actually by neglecting the issues, by playing them down, you are hurting the reputation of open source and play right into the hands of the anti-open-source movement.

What next?
I doubt that this essay has any implications on the future development of Joomla!. Most likely it will only lead to a new round of Joomla-critics-bashing. I would be pleased to get some distinctive, factual comments from Joomla! supporters. It would be a premiere.
But maybe I have sensitized some existing and/or potential users of Mambo/Joomla! to take security issues seriously. I don’t want them to switch – Mambo/Joomla! is a pretty impressive system, and if it would have been available by the time I chose Typo3 for my company chances would have been good I would have ended with Mambo. I only want them to make an effort towards security. Every Mambo/Joomla! system without vulnerabilities is one step towards a safer WWW.

So, you may now use your flamethrowers.

• Linux is more popular than Windows XP
• WordPress is more popular than Typo3
• Mambo is less popular than Typo3
• Canon and Sony battle head to head with HDV camcorders
• 3DS Max is still more popular than Cinema 4D
• Angelina Jolie is more popular than Brad Pitt
• Red (in blue) is par with Blue (in red)

And finally:

• George W. Bush is only slightly more popular than Osama bin Laden, but bin Laden gets more press coverage.

Oh, and by the way, yes, Mark, your 15 minutes of fame are clearly over… here is the proof!

Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search on Google for vulnerable targets. Once it infects a computer it will connect to a predetermined IRC server where the attackers will wait and have the possibility to gain access to the infected computer.

I know why I am sticking to Typo3 and do not jump on the Mambo bandwagon…

Fortunately, Kai is there and gives a short report on his blog. The biggest news (for me) was the bit about the Workspaces, which allows to have TWO versions of any content element. The “online workspace” is the one shown on the site, the “offline workspace” is a copy in which an editor can work, without altering the online version. This as one of the most basic things missing in Typo3 so far – from my point of view.

Your paper(s) got the following voting:

not accepted: Typo3 and Search Engine Optimization / Friendlyness

In total, we had more than 60 proposals to select from, but due to limited time and space available only 24 could make it into the conference. We want to mention that due to these constraints we had to reject many interesting proposals. However, we are sure we have compiled an interesting mix for the benefit of all speakers and visitors of TYCON3.

With only 60 proposals I had wished for a more personal answer instead of this standard-letter. Yes, I’m hurt!

WordPress is a tremendous tool. It’s being developed by an outstanding group of people but it is the master of the community, not the servant like it should be.

Actually I never heard of Nuclear Moose before, and I only came across his blog because of one of the many “wonders” which blogging has to offer to me. This time it is pubsub’s, something I came across due to a hint of Mark. Again.

I wrote before about the striking similarities between WordPress and Typo3. What Nuclear Moose now pointed out in a rather disappointed way are the dissimilarities between those two open source projects.

Yep, there’s the Codex, and drDave’s plug-in site, and the developer-friendly-but-user-unfriendly-official-wordpress-plugin site, not to mention some avid community members who have extensive lists on their own sites.

This is actually the single most obvious thing which occurred to me during my first few days with WordPress. In Typo3, you have the TER (Typo3 Extension Repository), a single resource where all public extensions reside. The extensions in the repository can be accessed from within a Typo3 installation with a simple click. Everybody is invited to create new extensions. If they are intended to be public extensions (or may become public at a later stage), you need to register an extension key, which allows you to upload the extensions into the TER. Extensions get assigned alpha/beta/stable status flags as well as version numbers. The documentation to each extension is available online inside the TER and can be annotated by any user. The TER automatically creates a forum for each extension, and registered translators can start translating any newly uploaded extension, so that the extension author can use the translations for the next release. When I wrote my first own extension it got translated into Finnish within the same day.
Of course this centralized TER has its drawbacks too: the server load increased tremendously over the last year, so that the bandwidth needed to be increased and a concept for synchronized decentralization needed to be developed. And we are talking about an unfunded open source project!

How very different for WordPress! What comes closest to the Typo3 extension repository is the WordPress Plugin Database by dr Dave. He actually made the attempt to create a plug-in manager for WordPress, but unfortunately the project is on hold for the time being:

People… sorry if I may sound a bit crude, but WPPM is currently off-download and off-support (has been for the past month): the latest version had many things broken, and I simultaneously realized that I just didn’t have the time to take care of it any more.

WordPress reality is, that every extension author hosts his work on his own site. There are a few sites which try to host copies of the plug-ins or at least keep a concise linklist, but they are all far from the Typo3 TER and – as Nuclear Moose said:

What an utter waste of time and energy this has become. WordPress has become the choice of personality types who live for *nix operating systems. If you want to spend all of your time trying to get something to fucking work, then fine, fly at it.

As a final comment of reconciliation let me point out again, that Typo3 and WordPress are in fact very similar. To me it seems that they are cousins, maybe even brothers. The WordPress community may gain quite a lot from the professionalism of the Typo3 community. And in return, Typo3 may benefit from the living proof of the word-smiths who use WordPress because of its simplicity – something Typo3 has not quite mastered. Yet.

So why not profit from each other? I’m sure Kaspar and Robert and all the other core guys from Typo3 would be more than willing to talk to whoever wants to do a WPPR (WordPress Plugin Repository). I’m sure the source code for the TER is not a Danish state secret. I’m sure whoever feels inclined to invest time and work only needs to ask politely to get a copy. Go for it! Profit from each other!

The domain technozid.de has been around for years, but it had no content worth mentioning. Since it was not linked from anywhere it never got visited by a spider before. So I was quite surprised to see a swarm of spiders browsing the first post to my blog within minutes. How did they know? The answer – of course – is simple: WordPress kindly announced the existance of my blog to Ping-o-Matic once I published my first post. Well, you live and learn, and this whole blog-issues seems to be full of surprises.
In the meantime, the spiders of the Cyber-Trinity – Google, MSN and Yahoo – have visited my blog as well. Rather surprising, Google’s MediaBot paid a visit even before the regular GoogleBot spidered technozid.de. Which is funny because MediaBot is supposed to visit only those sites with AdSense on it – which is not the case for this blog.

On a sidenote: do spiders form swarms? Or do they rather form flocks, or packs? Hmm… guess they are loners after all…

I am finding my way into WordPress now. It’s actually pretty straightforward, though I would recommend at least basic HTML knowledge for anyone who wants to try it. Since almost two years I work with the open source CMS Typo3, and compared to the steep learning curve of Typo3 WordPress almost seems like a joyride. Nevertheless, there are problems with WordPress too, especially with different plugins, but in all honesty it would have surprised me if there would have been NO problems at all.
The similarities between Typo3 and WordPress are quite large. So moving from one towards the other is quite easy. Starting with WordPress might even be helpful to make the Typo3 laerning curve less steep. Actually it has been discussed t0 incorporate WordPress into Typo3, but this thread has not been updated lately. I am considering to develop an extension for Typo3 (or a plugin for WordPress) so that the two systems are able to share the same database. Blog entries in WordPress could act as items for Typo3′s tt_news extension and vice versa. I need to think a bit more about this though.

OK, so much for today. I’ll check in later and maybe work a bit on the design template too. Unfortunately the weather isn’t what I hoped for. Mostly (heavy) rain outside, but the day is still young.