Soapbox Engage Blog

I got forwarded an email yesterday about a vulnerability in the Joomla! component "a6MamboCredits". The vulnerability was due to three things.

1. Registered Globals were turned on.
2. Joomla! emulates registered globals turned on.
3. The global varible "mosConfig_absolute_path" was used to include files.

Woe is the PHP hosting provider that thinks leaving register_globals on is a good thing. At lunch today, the PICnet gang was chatting about security vulnerabilities that were occuring in many Joomla 3rd party components. The problem is that our wonderful Joomla core was taking flack for not being secure, but at the end of the day all the hacks seemed to be occuring because of poor programming and server hosts leaving on the dreaded "register_globals" on their servers.

I mean, this is PHP hosting 101, right?

Unfortunately, one of our great clients had a server that had register_globals turned on, and the hacker took full advantage. Moral of the story, please, please, check to make sure that register_globals is turned off. If your hosting provider has it turned on, turn and run the other way.

Now, to take this to the next step, Johannes Ullrich over at the Internet Storm Center wrote his Tip of the Day on PHP security today. Read more for some excerpts of how you can protect your code.

So alot of exciting stuff has been happening around here at PICnet. I have worked with the Good Storm developers to create a new Joomla module for MeCommerce. It will allow you to easily install and create MeCommerce modules in your Joomla site, rather than copying and pasting the Javascript code from the Good Storm MeCommerce module to Joomla.

As LinuxWorld San Francisco gets ready to take off, the Joomla team and I spent the day fighting for good booth space, popping up a wifi spot, grabbing some drinks in Pacific Heights, and generally getting ready for the mayhem to begin.