Joomla! Web Security -- Table of Contents -- Joomla! Web Security -- Credits -- About the Author -- About the Reviewer -- Preface -- What This Book Covers -- Who is This Book For -- Conventions -- Reader Feedback -- Customer Support -- Downloading the Example Code for the Book -- Errata -- Piracy -- Questions -- 1. Let's Get Started -- Introduction -- Common Terminology -- Hosting-Selection and Unique Needs -- What Is a Host? -- Choosing a Host -- Questions to Ask a Prospective Host -- Facilities -- Things to Ask Your Host about Facility Security -- Environmental Questions about the Facility -- Site Monitoring and Protection -- Patching and Security -- Shared Hosting -- Dedicated Hosting -- Architecting for a Successful Site -- What Is the Purpose of Your Site? -- Eleven Steps to Successful Site Architecture -- Downloading Joomla! -- Settings -- .htaccess -- Permissions -- User Management -- Common Trip Ups -- Failure to Check Vulnerability List First -- Register Globals, Again -- Permissions -- Poor Documentation -- Got Backups? -- Setting Up Security Metrics -- Establishing a Baseline -- Server Security Metrics -- Personal Computing Security Metrics -- Incident Reporting-Forums and Host -- Summary -- 2. Test and Development -- Welcome to the Laboratory! -- Test and Development Environment -- What Does This Have to Do with Security? -- The Evil Hamster Wheel of Upgrades -- Determine the Need for Upgrade -- Developing Your Test Plan -- Essential Parameters for a Successful Test -- Purpose of This Test -- Using Your Test and Development Site for Disaster Planning -- Updating Your Disaster Recovery Documentation -- Make DR Testing a Part of Your Upgrade/Rollout Cycle -- Crafting Good Documentation -- Using a Software Development Management System -- Tour of Lighthouse from Artifact Software -- Reporting -- Using the Ravenswood Joomla! Server.

Roll-out -- Summary -- 3. Tools -- Introduction -- Tools, Tools, and More Tools -- HISA -- Installation Check -- Web-Server Environment -- Required Settings for Joomla! -- Recommended Settings -- Joomla Tools Suite with Services -- How's Our Health? -- NMAP-Network Mapping Tool from insecure.org -- Wireshark -- Metasploit-The Penetration Testers Tool Set -- Nessus Vulnerability Scanner -- Why You Need Nessus -- Summary -- 4. Vulnerabilities -- Introduction -- Importance of Patching is Paramount -- What is a Vulnerability? -- Memory Corruption Vulnerabilities -- SQL Injections -- Command Injection Attacks -- Attack Example -- Why do Vulnerabilities Exist? -- What Can be Done to Prevent Vulnerabilities? -- Developers -- Poor Testing and Planning -- Forbidden -- Improper Variable Sanitization and Dangerous Inputs -- Not Testing in a Broad Enough Environment -- Testing for Various Versions of SQL -- Interactions with Other Third-Party Extensions -- End Users -- Social Engineering -- Poor Patching and Updating -- Summary -- 5. Anatomy of Attacks -- Introduction -- SQL Injections -- Testing for SQL Injections -- A Few Methods to Prevent SQL Injections -- And According to PHP.NET -- Remote File Includes -- The Most Basic Attempt -- What Can We Do to Stop This? -- I'm Using Joomla 1.5 so I'm Safe! -- Preventing RFI Attacks -- Summary -- 6. How the Bad Guys Do It -- Laws on the Books -- Acquiring Target -- Sizing up the Target -- Vulnerability Tools -- Nessus -- Nikto: An Open-Source Vulnerability Scanner -- Acunetix -- NMAP -- Wireshark -- Ping Sweep -- Firewalk -- Angry IP Scanner -- Digital Graffiti versus Real Attacks -- Finding Targets to Attack -- What Do I Do Then? -- Countermeasures -- But What If My Host Won't Cooperate? -- What If My Website Is Broken into and Defaced? -- What If a Rootkit Has Been Placed on My Server? -- Closing Words -- Summary.

7. php.ini and .htaccess -- .htaccess -- Bandwidth Preservation -- Disable the Server Signature -- Prevent Access to .htaccess -- Prevent Access to Any File -- Prevent Access to Multiple File Types -- Prevent Unauthorized Directory Browsing -- Disguise Script Extensions -- Limit Access to the Local Area Network (LAN) -- Secure Directories by IP and/or Domain -- Deny or Allow Domain Access for IP Range -- Stop Hotlinking, Serve Alternate Content -- Block Robots, Site Rippers, Offline Browsers, and Other Evils -- More Stupid Blocking Tricks -- Password-Protect Files, Directories, and More -- Protecting Your Development Site until it's Ready -- Activating SSL via .htaccess -- Automatically CHMOD Various File Types -- Limit File Size to Protect Against Denial-of-Service Attacks -- Deploy Custom Error Pages -- Provide a Universal Error Document -- Prevent Access During Specified Time Periods -- Redirect String Variations to a Specific Address -- Disable magic_quotes_gpc for PHP-Enabled Servers -- php.ini -- But What is the php.ini File? -- How php.ini is Read -- Machine Information -- Summary -- 8. Log Files -- What are Log Files, Exactly? -- Learning to Read the Log -- What about this? -- Status Codes for HTTP 1.1 -- Log File Analysis -- User Agent Strings -- Blocking the IP Range of Countries -- Where Did They Come From? -- Care and Feeding of Your Log Files -- Steps to Care of Your Log Files -- Tools to Review Your Log Files -- BSQ-SiteStats -- JoomlaWatch -- AWStats -- Summary -- 9. SSL for Your Joomla! Site -- What is SSL/TLS? -- Using SSL to Establish a Secret Session -- Establishing an SSL Session -- Certificates of Authenticity -- Certificate Obtainment -- Process Steps for SSL -- Joomla! SSL -- Joomla! SSL Method -- Performance Considerations -- Other Resources -- Summary -- 10. Incident Management -- Creating an Incident Response Policy.

Developing Procedures Based on Policy to Respond to Incidents -- Handling an Incident -- Communicating with Outside Parties Regarding Incidents -- Selecting a Team Structure -- Summary -- A. Security Handbook -- Security Handbook Reference -- General Information -- Preparing Your Tool Kit -- Backup Tools -- Assistance Checklist -- Daily Operations -- Basic Security Checklist -- Tools -- Nmap -- Telnet -- FTP -- Virus Scanning -- JCheck -- Joomla! Tools Suite -- Tools for Firefox Users -- Netstat -- Wireshark -- Nessus -- Ports -- WELL-KNOWN PORT NUMBERS -- Ports used by Backdoor Tools -- Logs -- Apache Status Codes -- Common Log Format -- Country Information: Top-Level Domain Codes -- List of Critical Settings -- .htaccess -- php. ini -- References to Learn More about php.ini -- General Apache Information -- List of Ports -- Summary -- Index.