There is an unfortunate mis-perception among PHP programmers that having open (777) permissions on a file or folder is not a security risk for a website, or at worst only a minor one. The purpose of this article is to explain why this is wrong, that such permissions are dangerous to the security of your site. I will discuss this using the context of a Joomla website, but really the main points apply to any website.Add a comment
There must be many, many e-commerce websites that use the combination or Joomla 1.5.x and Virtuemart 1.1x. They are a popular combination and work well. The problem is that these systems are at the end of their life: there will be no further releases even for security patches. Ideally website owners should be migrating now (if you have not already) to Joomla 2.5 and Virtuemart 2.x.Add a comment
There have been big changes in the Joomla extensions directory in recents months: since July this year the directory has only included extensions that are licensed under the General Public License (GPL), the same license that Joomla itself is licensed under.
So commercial developers of Joomla extensions have been faced with a choice: either convert to the GPL, or try to go it alone without being listed in the directory.
We decided to convert to the GPL: our software has always been open-source, and the license that we used in the past was similar to the GPL in most respects, so the practical changes required were not too great. In the end the decision was pragmatic: in a survey we found that about three quarters of our site users arrived through the JED, and we felt that we would be unlikely to survive as a business without being listed there.
However we are not happy about being forced into this decision. It is my belief that, as a software author, it should be up to me how I decide to license my own work.
Whether we will be able to survive as a business under the GPL is open to question. The JED have introduced policies to protect software authors from those who would abuse the GPL and try to pass the work of other people as their own. Extensions that are actually minor changes to the code of an existing extension will not be listed. However, will Joomla also ban advertising on their site for such extensions? I suspect not. The fact that they are not listing such extensions in the JED is a tacit admission that there is a problem with the GPL in protecting the surely legitimate rights of software authors.
Not surprisingly there has been a good deal of debate over this issue. One of the more unpleasant aspects of the debate has been the clearly expressed attitude of some people that commercial developers who release Joomla extensions that are not open source and not GPL are exploiting Joomla rather than contributing to it. This is nonsense. Anyone who writes a good Joomla extension that fulfils a demand is contributing to it. The fact that there are a fair number of such commercial extensions is evidence that users want them, and they are fulfilling a demand that purely open-source, non-commercial extensions cannot meet.
Joomla's great strength has been the huge range of extensions available. This is due to the fact that it is an excellant framework for developing website applications. However it is certainly not the only one. Before I became a Joomla developer I spent a good deal of time looking into content management systems (and even wrote one of my own). I concluded eventually that Joomla was the best system of content management going, and decided to work with it. I think that there is a real danger now that, as soon as a convincing alternative system comes along, many developers will desert Joomla, which will be everyone's loss.
Having started to sound off about this I find that I have a good deal more to say on it, so I will return to this issue in the future.
Add a comment
I am pleased to say that, through our related site Inspiration Web Design, we have just been listed in the Joomla Resources Directory.
And I really am pleased. Of course it is good for business, but there is also a personal element to it as well, since I received I short email from them thanking me for my past efforts for the Joomla! Community as well as approving the listing.
It was nice to feel that our efforts have been noticed. We have always tried to work in the spirit of Joomla!, rather than just making templates and extensions for profit. That is why our extensions have always been Open Source. It is why I regularly participate in the Joomla forums (you can see my profile here).
This is something that I would recommend to all developers. If you create extensions purely as a way of making money that is all that you will ever get out of it. Money is nice to have of course, and indeed very necessary, but the sense of belonging to a real online community is not something you can put a price on.
Add a comment
Recent warnings by the French and German governments have highlighted concerns about the security of Internet Explorer, for example see http://news.bbc.co.uk/1/hi/technology/8465038.stm . This has led to recommendations that users should abandon the use of Internet Explorer.
However is this good advice? Clearly in the short term, yes. Until Microsoft release a security patch for the existing problem it clearly makes sense to avoid using it, and particularly IE6. In this longer term though, I think it is unwise to assume that Internet Explorer is necessarily less secure than the alternatives. The fact is that attackers target IE because of its popularity - why would they bother to target a browser that hardly anyone uses? Those responsible for malware are generally in it for the prospect of a financial return, and it is common sense for them to target the most popular browser. Joomla has faced much the same problem in the Content Management world.
If the current scare results in a substantial exodus towards other browsers then we can certainly expect to see more attacks targeted at them in the future. For example, there are already security issues concerning some of the add-ons available for Firefox - see http://www.sciencetext.com/remove-firefox-addons-improve-security.html.
If the result of this current scare is to finally bury IE6 then I don't think that there will be any web developers shedding a tear, it will make web development so much easier. It really is the most annoying web browser going, and it is astonishing that so many people still apparently use it.
Add a comment