get typo3, or better yet code your own. Takes some programming knowledge but isn't impossible. I've always life coding my own, gives me a feeling of accomplishment, and I improve my programming skills along the way, and it is a great way to learn things you never knew before.

The security alert is mainly if you installed 3rd part components with Mambo or Joomola and its a pretty easy solution provided.

I run a fairly large site with Joomola and it works like a charm, sure there are security flaws and bugs like any other software or system.

I am a hardcore Typo3 user - therefore my Mambo-comments are heavily biased. However, the amount of extensions available for Typo3 dwarfs those available for Mambo/Joomla, but Typo3 had only ONE security issue so far, and it was dealt with within hours. It had NO security issue with an extension so far. Mambo/Joomla had quite a lot of security issues so far, and they were evenly distributed among the core system and the extensions.

Don't get me wrong: there's a place both for Typo3 and Mambo/Joomla. Some projects are better for Typo3, others better for Mambo/Joomla. But popularity brings responsibility! Security issues in a widespread system ARE a danger for all of us! And a track record of security issues in one open source CMS create a negative image for ALL open source CMS.

You mean like Microsoft?

pmkpmk, your posting is particularly naiive and unhelpful to people who may be considering using Joomla. If you had done your homework and checked the relevant forum on the Joomla website, you would find the vulnerabilities pertain largely to third party components.

Any core vulnerabilities are patched within hours. It might be said that the responsiveness of the Joomla team is a darned sight better than we see in commercial environments. Microsoft being a prime example.

Joomla is no more risky than anything else and it's like Internet Explorer, an easy target due to it's popularity, as people don't tend to look for vulnerabilites in lesser used products.

Face it, anything that gets popular will have any vulnerabilities exploited, that's just the way it is.

I am a hardcore Typo3 user

So am I.

Typo3 had only ONE security issue so far, and it was dealt with within hours. It had NO security issue with an extension so far.

If you think this is true, I'd advise you to stop what you're doing, consult the list of security bulletins on www.typo3.org [typo3.org] and get to work fixing any issues you discover with your own sites.

The TYPO3 project does deal with security issues promptly and efficiently, but ONE security issue? Give me a break...

-b

Check out Secunia:

Mambo & components - 33 issues, some exploited by specialized virii [secunia.com]
Joomla! & components - 11 issues, not exploited by any virus [secunia.com]
TYPO3 & extensions - 3 issues, not exploited by any virus [secunia.com]

I am not saying that Mambo/Joomla itself (i.e. the CORE system) is more vulnerable. What I am saying is that the WHOLE product, consisting of the core application PLUS 3rd party components, have quite a lot of issues. This is bad for potential users, especially if they are not that tech-savy but use the system off the shelve. And this is bad for the public perception of Open Source CMS systems as a whole!

What Mambo/Joomla! is missing is awareness among the user and developer community and a widespread coordinated action to analyze and eliminate existing issues (especially the ones not yet detected), to contact existing users and help them upgrade their systems, and to prevent future issues by means of educating developers and probably providing frameworks or best practices.

So If i put under the <?php> tag in the performs.php add the following:

/** ensure this file is being included by a parent file and stop direct linking */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

Will that block this attack?

Mambo/Joomla is a monster so it's prone to have more bugs.

May I suggest the best place to discuss possible security issues with a particular CMS would be on that CMS's own security forum.

Firstly, I would point out that Mambo and Joomla! are now two totally separate projects, and that any security issues relating to one do not automatically relate to the other.

Where any issues have arisen with the core code, a patch has been released within hours. The core team is actually extremely grateful to the kiddie-hackers, as they have helped no end in identifying problems they might otherwise have taken far longer to spot!

In the vast majority of cases as far as Joomla! is concerned, any security issues which have arisen relate to third-party developers code (which hasn't been written properly) or the user's hosting environment.

Neither is under the control of the Joomla! core team, and as a professional publisher, you should always ensure:

1: You are using an up-to-date version of Joomla!, and
2: Your hosting environment is not full of security holes (a good rule of thumb on whether your host is secure or not is what you pay for hosting).

Ideally, use a fully managed host and if third-party components must be used, use only those not listed as vulnerable.

In fact, pmkpmk, I suggest you post your half-baked theories on the Joomla! forum and see what reaction you get :)

In the vast majority of cases as far as Joomla! is concerned, any security issues which have arisen relate to third-party developers code (which hasn't been written properly) or the user's hosting environment.

By assisting third parties to include their code into your software, makes you liable as well.

By assisting third parties to include their code into your software, makes you liable as well.

Hardly. Are you suggesting Microsoft is liable for every third-party virus transmitted via IE or MS Word?

Just because something is designed to work with a piece of software doesn't make it a part of that software.

Are you suggesting Microsoft is liable for every third-party virus transmitted via IE or MS Word?

No, of course they are not liable. But with every third party virus their reputation suffers! It's not the third party virus programmer who gets blamed. No Microsoft gets blamed for selling insecure software, making it way too easy for viruses to propagate. Just have a look at what a hard time MS has for two years now to change this image.

Actually you have just proven my point.

Hardly. Are you suggesting Microsoft is liable for every third-party virus transmitted via IE or MS Word?

Just because something is designed to work with a piece of software doesn't make it a part of that software.

By designing a piece of software which allows plug-ins to work at the same operating and security level as the main application, you can see the main platform as responsible when software flaws in the plug-ins cause the main platform to become unstable.

This is one of the reasons why Linux is less vulnerable for viruses and crashes than Windows. The graphical user interface (X, Gnome, KDE or whatever) is running in userland, rather than built into the kernel causing less code to be able to crash the main application.

Micro kernel OS architectures like Minix, QNX etc go even a step further and have things like file system handling outside of the main kernel. Those systems are harly vulnerable for anything and therefore used for critical applications.

By having openings in the software that allow third party applications to integrate with the Joomla platform, Joomla is responsible for the flaws that arise, but--to defend their point of view--on a .PHP based system it is almost impossible to write a CMS platform which is both secure AND extendable with external plug-ins.