So.. I was checking the subscription stats for http://feeds.joomla.org/JoomlaSecurityNews as I usually do and noticed that finally things are on the improve. We're now starting to see 100's of people each day subscribing either via email or RSS. At this time we have 5145 people subscribed. I'll start to get even more excited when that figure gets into the 10's of thousands.

Obviously this is due to all the help the community is doing to share this link and encourage others to subscribe. We've also added this option directly to the Joomla download page as was suggested by a community member (well, something similar).

Thanks again everyone, and keep up the great support. Joomla wouldn't be as popular as it is without all of your help. 

PS Don't forget to subscribe other areas of the project, see: www.joomla.org/rss.html

Earlier today, a rather prominent third party company (who have traditionally been involved with and supported Joomla) openly revealed details about a potential Joomla security vulnerability by posting it on their site.  I will not do the company justice by posting who they are or by publishing a link to their site.  It's incredibly disappointing, and disturbing that these developers (two of which had official positions) did not try follow the established procedure (or even a moral approach), but resorted to posting the vulnerability publicly and with an incorrect fix.

About the vulnerability

About two weeks ago, the aforementioned developers submitted a report to the Joomla! Security Strike Team detailing the potential vulnerability.  In accordance with our security response protocol, we engaged in discussion with the third-party developer, and determined that the issue was not of a critical nature, and did not warrant an accelerated release.  We were able to confirm the issue and determined that it would be fixed in 1.5.8 when it finished its normal cycle.  After consulting with the respective Joomla teams, we determined that since the "issue" is completely internal (a potential attacker must be an author or higher) it is not of a "critical" nature.

The post also mentions that they submitted the bug to the Joomla 1.5 bug tracker and that it was removed.  It is our policy that security issues are taken out of public view when they are published in the public tracker or on a public forum.  This is a responsible stance which is also followed by many other projects.  The company did in fact post to the tracker, and it was removed per our normal operating policy.  Disappointingly, the company had already publicized the vulnerability to their own mailing list prior to posting the issue on the tracker.  This was in direct contradiction of our belief in the need for discretion and professionalism when dealing with security issues, which cannot be overstressed.

About the "fix" they provide

First of all, applying third-party patches is never recommended.  It is always advised to either wait for either an official emergency patch or an official release that addresses the issue. 

In this case, the third-party developer removes a key feature that allows a site to protect itself from various malicious attacks.  This suggests a complete lack of understanding of why the feature was added in the first place.  Applying an unofficial patch could expose your site to unknown dangers.  If your site is subsequently hacked/defaced as a result of any third-party patch, we cannot help you. It's also important to keep in mind that these types of unauthorized patches circumvent the ability for the Joomla Project to properly support Joomla.

About their viewpoints

An irresponsible thing to do

Publicizing security vulnerabilities is nothing short of irresponsible. It is completely misguided to presume that publicizing any vulnerability forces the project to act. In this instance, the Joomla Project was aware of the issue and had determined the appropriate response with the best interest of the community in mind. Even a philosophical difference does not justify putting potentially millions of Web sites at risk. We have ZERO TOLERANCE for this kind of behavior.  The members in question have been removed from their respective Joomla positions.  It's saddening that it had to come to that, but we must take a firm stand against such irresponsible acts.

Generally speaking, people in the community are highly supportive of the Project. Unfortunately, this company isn't one of them (and on multiple occasions this has shown to be true). We'll probably never know what motivates people to act in such a manner.

In conclusion

I have mentioned before that its sometimes a challenge dealing with Joomla registrations issues. I have had particular problems with Joomla Confirmation emails to hotmail and aol, specifically, the emails get caught in spam filters and the users never get the confirmation email.

So I was especially interested to get a Jakob Nielsen's Alertbox about Transactional Email and Confirmation Messages, e.g. confirmation emails Joomla sends out.

Let's take a look at what he says and c [...]

Not that long ago, I posted on this subject with my blog: Hosting providers - Isn't it time? It was nice to see in the comments that some providers actually took on board the free advice and took steps to better secure their servers.

However, by and large it seems still, far too many hosting providers just do not care about security. This is not the place to name and shame them, but I'm talking about huge hosting providers still running outdated installs of php4 for example. 

Further, one of the most common responses hosting companies give to the users when their site is hacked, is "It's Joomla's fault". How illogical it this for example, when the user is running Joomla 1.5.0 (an out of date version that was patched long ago)? If you are a host and one of your clients sites is hacked, think before you lay blame. Why do so many of you automatically blame Joomla and not the client who never kept their site updated?

If you want to make a difference, educate yourself with an hour or so of you time and find out how simple it is to keep up to date. Don't you want smarter users, who run more secure websites and thus reduce your support time cleaning up phishing scams, spam mailers and hacked websites?

Maybe publish our security feed somewhere on your site, do you know the link?: http://feeds.joomla.org/JoomlaSecurityNews Subscription via email is also available from that page.

As I recently posted in the Security Forum "Security is very important, but seriously it's not that hard." This applies both to Joomla as well as the hosting setups that people run.

So join me as we sing together:

- "php4 is no more, we don't run it at all!"

- "suphp is for me, especially when I want security!"

- "backups are my friend, we take them even on the weekend!"

- "we keep our software up to date, vulnerabilities are what we hate!"

Finally. You don't have to listen to me, afterall, what would I know, you may say, however, next time a user posts about their sites being compromised due to a poor hosting configuration you might lose a customer when someone points out that the blame may in fact lie with you, their host and not with Joomla at all.

Some time ago, I posted my answer to the eternal question, Should I use Joomla 1.0 or 1.5? Now there is another factor to consider, Wilco Jansen recently posted on the Developer Team Blog the actual date when Joomla 1.0 would stop being supported with updates, July 22nd 2009.

"As of July 22, 2009, the Joomla 1.0.x series will no longer be supported."

Although that seems a long way into the future, its actually only 9 months.

You can read more about the post at [...]