[jvel] remove .htpasswd

[jessicadunbar]

Remove the .htaccess from the administrator area so we can retrieve version info

[btoplak]

Jessica, added level of security is exactly why htpasswd is in place. Not directly to hide the version number, but it's a good side effect. Thank you for taking care about the J! version, but rest assured that Vulnerable Extension List team won't allow vulnerability on it's own website ;)

[mbabker]

The VEL site is the only live domain on the .org network which is not allowing us to monitor its status on things such as the currently installed version. The added security is fine, but no domain on the .org network should be so locked down that only its admins can access it or the leadership team be unable to monitor the site.

[btoplak]

@mbabker regarding "not allowing us monitoring" statement, up until this ticket no one officially asked about any monitoring access AFAIK. We can work out many solutions to allow monitoring to authorized teams, without removing any current or future security measures in place. Just send an email. The readme says security related stuff isn't to be discussed here ;)

[Radek-Suski]

Sorry but I simply could not resist, I would expect from someone who is part of somehow security related team to know that .htpasswd is by far not a security measure for crying out loud.

[btoplak]

@Radek-Suski well, I'm glad you didn't resist, I appreciate a good discussion. So let's share those thoughts in hope to clear out some misunderstandings and misconceptions :

• HTTP Authentication methods and/or Apache implementation of it (aka "htpasswd"/"modauth*") AREN'T unsafe - given they're implemented correctly! There is a lot of fuss (on a level of urban legend) about any of those (often mixed up) being easy to circumvent. People talk about things they don't understand completely, people read blog posts they find, people spread urban legends. Yeah, nothing new ... but people please, be wiser than going out screaming something is bad just because "he said/she said" fuss
• if you think you can "hack it in seconds", go ahead but don't forget to inform us beforehand if your IP doesn't say "Radek demonstrating his HTTP Auth kung-fu mastery". Any unauthorized fiddling could be reported to CERTs, we take our web's security seriously :innocent:
• a Bonus question: are you sure this HTTP Authentication is generated from htaccess/htpasswd file at all? :stuck_out_tongue_winking_eye:
• preventing scooping into VEL website's files, or accessing them is not "security through obscurity" as someone has called it on Twitter, not in real (bad) sense of that term. One should recognize the difference between "security through closed source code", which we know Joomla isn't, and hiding all the unneeded information from the prosper attackers, be it script-kiddie or professional. Any serious security hardening guidelines will suggest that you should prevent version information leakage as much as possible. There is no reason to expose that information, but it's very useful for an attacker, so you shouldn't. Those measures are a standard security defense against "fingerprinting" methods. First thing an experienced attacker would do is a reconnaissance (military ppl know that) - get as much information about all used software versions, in hope to find a vulnerable spot. If they don't find it fast enough they will have to try harder, or just go for an easier target. Joomla's publicly available manifest files make it sooo sweet & easy to fingerprint and find a known vulnerable spot (not just the core). So, it's not wrong or shameful to hide the unnecessary and potentially dangerous information - I think it's omission not to do it. Attackers will know how to use it against you in a weak 0-day moment. Any Joomla should be secure regardless of whether that information stays secret or not (if upgraded), but I won't do the attackers any favors by exposing it. The only time when security through obscurity is bad is when it's the only security you bet on. http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch03_09.htm
• And now back to the main reason of HTTP Auth - backend files access protection. No one unauthorized should have access to backend files, and it makes sure they don't. I think it's a valid point enough, no discussion needed.

@ every developer even slightly interested for websec - learn how HTTP Auth works and how to use it securely and effectively. If someone doesn't understand the HTTP Authentication and Apache HTTP configuration options, or doesn't have a trustworthy source of instructions how to do it - (s)he shouldn't implement it. But making ignorant claims and mocking other people publicly based on that misapprehension, it's unprofessional and just damages your reputation and respect towards you.

[Radek-Suski]

Facepalm. Long time I saw this amount of arrogance and ignorance. Please remove the so called security measure because there are people caring indeed about the security and you are arguing instead of cooperating.

[jessicadunbar]

All Joomla web properties need to make sure there is access to the following file on its server. administrator/manifests/files/joomla.xml If the Joomla! site you are managing blocks /administrator with .htaccess, please take action to correct. This blocking is causing the site status check to fail on the master list of Joomla websites. Please allow this file exception ASAP or the exception will be made regardless.

@mbabker Let me know how you want to proceed.

[brianteeman]

Clearly from the above lecture the Joomla project is managing all the web sites badly and leaving them wide open to zero day attacks. Please immediately add .htpasswd to all the joomla web sites. It is crazy that we are doing nothing about basic web site security and as you have so eloquently highlighted all the other Joomla web sites are vulnerable

[btoplak]

@Radek-Suski Disappointing to see your reaction. No arrogance was intended, irony would be the word. I was challenged and mocked about on Twitter, I hoped I have the right to state my claims. Ignorance? Now confirmed...

If discussion is avoided, can you at least be so kind and provide a proper answer about why and on which point am I so wrong? Or am I not allowed to ask, or not worthy of the explanation?

Why on earth should manifest be available in the public to everyone, if only one (internal) app needs it? I suggested that the official teams find the best solution, in private. Or only the Readme says security matters shouldn't be discussed in public.

@jessicadunbar I'm not the team leader here. And I am not speaking in the name of VEL team, just my personal. Correct me if I'm wrong, but there are some official channels of communication, right? And some official information & orders distribution.

Please allow this file exception ASAP or the exception will be made regardless.

Did someone mention arrogance?

This sound to me like another bullying in the Joomla world, now about a single file. And if you are going on another spree, at least there are some bigger teams than ours that you could start with: https://extensions.joomla.org/administrator/ ...

The VEL site is the only live domain on the .org network which is not allowing us to monitor its status

Excuse my ignorance, but I'm just wondering how you are getting their site's info then?

(JED team, hope you can give some additional thoughts)

[btoplak]

@brianteeman I'm sure not all will share my point of view about security. And I think every team should have the right to do their best to protect their subdomain. Everyone chooses their line of comfort. That's by far not the same as stating all websites are vulnerable.

I gave suggestion about alternative manifest exchange methods, so everyone is happy.

[brianteeman]

@btoplak you didnt read what I wrote

[btoplak]

I did, and I am surely not trying to say what you imply I am.

[btoplak]

Btw if you're all so eager about kicking me or JED/VEL team about HTTP Auth being sooo bad and useless idea, you can go to one admin tool author, which you all well know, and complain about the tool's top 5 features being a scam. Facepalm

[mbabker]

Whoa, cool it. Let's clarify some things quickly:

• The Joomla project uses a chosen tracking solution to monitor data on websites, to include the server they are deployed to, PHP and MySQL version (checked and logged manually), and the site's version (queried via the manifest file in the case of the CMS) if it is exposed via an HTTP call in some way; the docs wiki, issue tracker, Framework website, and forum software do not have this exposure so versions are manually checked and updated
• All sites should enable this monitoring which is shared with project leadership and site admins (and yes, if given a @*.joomla.org e-mail, access will be granted to those who do not already have access and should); sites that block this data should fix this; since we want to be tattle tells on the subject, by my count we are missing data from the JED, Magazine, and VEL (and apparently the abandoned template project, why's that site still online anyway!?)
• If we really want to start airing the dirty laundry of how .org is managed, this isn't the forum to do it, and quite frankly I'm aware of enough issues that would make any serious system administrator or hosting provider scream

So if we're done having an ego contest, how about working TOGETHER (isn't that WTF Joomla's name is based on) and getting :hankey: figured out for everyone's sake.

[btoplak]

@mbabker :bow: I bow. Ego button :cool:

It would make my mini-me very happy if we would find a way to fetch VEL manifest offline and I am ready to help as much as I'm allowed.

[Radek-Suski]

@btoplak I am not going to discuss about effectiveness of .htpasswd as a hack protection because it is nearly non-existent. The issue is that you clearly missing one point:

And I think every team should have the right to do their best to protect their subdomain.

This is not your your subdomains this is project subdomain. We are in process to clean up the whole mess and nobody else is being as difficult as you are.

[btoplak]

@Radek-Suski I additionally emphasized one sentence in my HTTP Auth post which is significant. My whole point was the method can be ineffective if configured improperly, and unfortunately many posts on the web give bad advice and vulnerable config suggestions.

.. removed

I wasn't trying to be difficult, I took the liberty to state my point of view. End of another sad subject and time wasted. I'm only a volunteer in one of the teams and forum, I am here because I love Joomla and not to promote my business. So I think I don't pose problem to anyone.

P.S. @brianteeman if I misunderstood your post thinking it was sarcastic, but it wasn't meant to be, I apologize for the misunderstanding

(edited out some stuff I'll keep for myself)

[Radek-Suski]

I have no words anymore

[mbabker]

Unless we're going to start doing something useful, stop posting on this thread...