Open Source Network Blog

Book-review Joomla! Web Security
Sunday, 22 March 2009 12:06
Jisse Reitsma

Jisse Reitsma

Jisse Reitsma is co-founder of Jira ICT, wrote a book on Joomla! Templates, teaches many courses and programs in Joomla!, Magento and Drupal. Authors profile

A couple of days ago I ordered and received the book Joomla! Web Security written by Tom Canavan and last night I found some free time to read the book. Because I am already familiair with most of the topics covered the book, "reading" is actually not the right term - it was more like scanning and it took me about 30 minutes. Here's my review.

What is this book about?

The book is called "Joomla! Web Security" so it is obviously about Joomla! and how you can make Joomla! more secure. Since Joomla! has become one of the most populair CMSs on the web, people have claimed that Joomla! is not secure. Most of these claims come down to the point where third-party extensions are just installed recklessly into Joomla! and open up the website with vulnerabilities. Also some claims come down to bad configurations of the webserver environment. Tom Canavans book sums it all up.

The topics

First of all it covers the hosting part: Which configuration is needed for running a secure Joomla! site? It not only comes down to the checks you have to make during the installation of Joomla! (involving checks for PHP-settings like "Register Globals"), but also dives further into choosing the right hosting provider and IDS (Intrusion Detection Systems).

Besides the hosting part, all the other topics of websecurity are covered as well - the applications you can use to audit your site, which kind of hacks are out there, the protection of Joomla! through htaccess, analysing logfiles. But somehow - while reading (sorry, scanning) the book - I got the feeling the book did not cover all the topics. For instance, the Apache module "mod_security" did not appear anywhere in the book.

Not for security experts

Important to note is that this book is not valuable to security experts. If you are a security expert and you read this book, all the topics should be familiar - if they are not, you are not a security expert. The book still gives a lot of insight on all the topics related to Joomla! security, so any (technical) Joomla! fan might find it very interesting.

Instead of focusing on the usage of Joomla! (which would only include tips like using strong passwords and not-choosing for ugly third party extensions), the book covers the wide range of websecurity in general. Topics like SQL Injection are explained well enough to introduce the subject to beginners. I do recommend this book, but if you are a PHP-programmer and you want to protect your own code against SQL Injection you need to dive into other resources as well.

Not for Joomla! 1.5

So this is the point where I got really disappointed. The book was first published in September 2008 - that's about 7 months after the stable release of Joomla! 1.5. And it mentions the book applies to Joomla! 1.5, but it does not include the following topics at all:

  • MD5 passwords and Joomla! 1.5 salting
  • The Joomla! inclusion-check on _JEXEC
  • Form tokens (JHTMLForm::token and JRequest::checkToken)
  • Custom error pages in Joomla! templates
  • Preventing SQL injection through JRequest
  • Session-storage in the Joomla! database
To my knowledge the Filtering Options within the Article Settings were introduced after september 2008, so I'm willing to cut some slack there. But because the points above are missing, it appears to me if that Tom did not inspect Joomla! 1.5 security at all. Also extensions like jSecure Authentication and JoomSuite Defender are missing.

This rating goes down

Besides the fact that Joomla! 1.5 specific things are not discussed at all, I was also missing stuff like Apache mod_security, insecurities with sessions (session hijacking, session fixation, etcetera), real-life examples of CSRF and XSS (as they are becoming a real problem) or a simple thing like user-permissions (ACLs).

I have written a book myself, so I know it is hard to keep the most critical users happy. Also, writing a book doesn't earn you that much money, so after you've written 200 pages and the deadline is closing, finishing it off quickly is an ethical choice in my opinion. But writing a book on a subject and not even mentioning some very vital parts, is straight-out sloppy.

I recommend this book, but only as a brief introduction to the complicated subject of security, and only when changing the books title to "Joomla! 1.0 Web Security for Beginners".
 
Get help for Joomla Now

Stay In The Loop

Subscribe now and we'll send you our latest News, Tips & Trics and Tutorials by email.
Jira ICT
Open Source Support Desk

Latest Blog

Latest Tutorials

Latest Comments

Canonical URLs and Joomla!
... I am working on a pretty huge page for a cli
Using Eclipse as Joomla! IDE
Codelobster isnt bad... I'm a dotnet developer...
Writing your own Joomla! splitmenu
Great job and it's worked! But, how to change the
Comparing VirtueMart and Magento
Magento is way worse of spaghetti code. Do you rea
Is Joomla! safe?
You can nver make any software full proof, the lat

osSupportDesk Blog

Follow Us on Tiwtter

osSupportDesk
osSupportDesk Yes! RT @rdeutz: @HermanPeeren in reality after #jab11 doesn't exists, this time frame is called before #jab12 #partyon
ABOUT 23 HOURS AGO
osSupportDesk
osSupportDesk Available at ourcmsrocks.com soon -> Buy a Brian: http://bit.ly/2wmeeo #joomla
Thursday, 02 September 2010 09:01
osSupportDesk
osSupportDesk RT @MarcosPeebles: #Joomla vote for the OSS Hall of Fame award http://tinyurl.com/ourcmsrocks-showit go and show your support
Thursday, 02 September 2010 08:06
twitter Follow osSupportDesk on Twitter
Home Blog General Book-review Joomla! Web Security