security

  • If a person follows these few simple rules the majority of site hacks will not happen.

    1.) Use a decent hosting provider. Cheap is not necessarily bad, and expensive is not necessarily good. Do your research. Take a few minutes to search for and read comments and reviews left by other users.

    2.) If you don't need it for your sites functionality then don't install it. If you do need it for your sites functionality, take a few minutes to search for and read comments and reviews left by other users of that software to make sure you're not getting more than you bargained for by installing the software.

  • JACC (Just Another Component Creator),3.0.3 - r199, XSS (Cross Site Scripting)

    Note that the vulnerability affects Joomla components generated using this extension rather than the extension itself.

  • One of the requirements to get your vulnerable extension marked as resolved is that you publish a security release announcement on your website. However we have noticed that developers often seem to have trouble with understanding what this means.

    So what does it mean? We do not have a standard format for this, however we do ask that any reasonably intelligent person reading the notice would understand that there is a new version available, that it is a security release, and that users need to update. Moreover this information should not be buried at the bottom of a page listing all the wonderful features of your extension. You can see a good example here for Joomla. You will note the use of the eye-catching graphic. You will note also that the very second sentence says:-

    This is a security release for the 3.x series of Joomla! This release fixes two low level security issues.

    The combined effect is that the reader will be in no doubt that it is a security release.