| Open Source Web Apps and Updating |
 |
 |
 |
| Written by Ken Task | |||
| Thursday, 29 July 2010 18:44 | |||
Qualys is a security company. Has released a small python based script called "BlindElephant" for fingerprinting trouble in web apps … the most popular open source flavored web apps such as Drupal, Moodle, Joomla, phymyadmin, as well as WordPress.
See Qualys Charts In the article (Ref below), 'Only one - WordPress - reduced critical vulnerabilities to the low level of 4 percent.' The reason: WordPress has a built in updating system making it easier for those who administer a WP blog to update. Unless I'm mistaken, the ability to update WordPress inside WordPress hasn't always been around and is a recent addition. Serendipity blog is one that has had updating from within for a long time now. The newer version of Drupal has the same. For K12 ISD's, this is important for many times the folks that normally do server administration are more frequently entrusting app Admin to either a few Campus Techs or even Teachers. It's not fair to them IF they are NOT informed that that updating is now their responsibility OR providing them a tool where they CAN easily update. That is one thing missing in core Moodle and Joomla … notice the word 'core' which means 'default install'. In Joomla there is an add-on for updating Joomla from within Joomla. Many who run Joomla's, just haven't found the extension nor have it installed. Here's a link where one can acquire: http://sos.tcea.org/jinstalls/com_jupdateman_151.tgz You can install in your Joomla by logging on as Admin user to the backend. Then go to: Extensions -> Install/Un-install Install from URL: copy and paste the URL above. Click Install Advise one does the patch install rather than full as they are smaller in size when using the UpDate Manager for Joomla. It's easy to use. Has been reliable. The ONLY time I've seen issues with it relates to ISD filtering systems. Should NOTE that this component will only update CORE Joomla. 3rd party add ons have to be investigated although some now have updaters in their control panels now as well. Recently, have been investigating JFusion and it has a button for updating itself (there are others and this is a a feature which should be considered when installing any add-on to a Joomla CMS). Moodle is not there yet … and I've NOT seen anything in Moodle 2.0 which will address the issue. However, the BEST (IMHO) way to assure Moodle is up-to-date, is CVS (common versioning system). NOTE: I read that Martin himself prefers CVS updating a Moodle over the 'long method' and that's how Moodle.org updates it's own site (when was the last time Moodle.org was down or un-available?) The first time one does a CVS update of a Moodle has to be done via command line. http://moodle.tcea.org/index.php/moodle-tips-mainmenu-35/92-why-updating-moodle-via-cvs-is-the-better-way-to-go- BUT, thereafter, with a little scripting and the use of Webmin, updating a Moodle CAN be accomplished by simply clicking a button. See the same link above: http://moodle.tcea.org/index.php/moodle-tips-mainmenu-35/92-why-updating-moodle-via-cvs-is-the-better-way-to-go- Dunno that anyone would be interested, but I've found a way to update Moodles via CVS using Web browser on Linux boxen. It does require some re-config of apache (nothing really guru-ish) and some bash shell scripts for cvs updating Moodle. It does work …. the screen snaps below are the proof. http://moodle.tcea.org/updatemdlviaweb/ Ref: http://news.techworld.com/security/3233690/open-source-web-apps-often-insecure-new-tool-discovers/ BlindElephant Info: https://community.qualys.com/docs/DOC-1351 BlindElephant PDF from BlackHat 2010: http://sos.tcea.org/docs/BlindElephant-BlackHat-2010.pdf BlindElephant Download: http://blindelephant.sourceforge.net/
|