NYCPHP Meetup

NYPHP.org

[nycphp-talk] Debugging Remote Problem - Solved

Mitch Pirtle mitch.pirtle at gmail.com
Wed Feb 22 12:53:34 EST 2006


On 2/22/06, csnyder <chsnyder at gmail.com> wrote:
> What are you preventing, then, by checking the IP address? Cross-site
> scripting attacks, where the attacker is on another network. That's
> pretty big, but you can't assume that all attacks will originate on a
> separate network.

As you stated earlier in your response, this is just one layer of the
security onion. We've also incorporated quite a few enhancements to
the 1.1 session class. There is no one quick fix to the problem, and
that is why we decided to tackle the challenge with a variety of
approaches.

We just did an internal security audit of 1.0.7, and the upcoming
1.0.8 is the result of that. I've asked several times if any FOSS
security aficionados wanted to participate in a security audit of
Joomla code (even asked back in the Mambo years) but alas, no takers
to date.  (hint, hint)

I'd like an external entity to take a look, as we are too familiar
with our own code, and when you stare at the same thing every day you
manage to stop noticing the cracks and imperfections on your own.

--
Mitch Pirtle
Joomla! Core Developer
Open Source Matters



More information about the talk mailing list