July 6, 2008 12:10am pdt

1. hielo 560,510
2. angelIII 239,510
3. hernst42 187,674
4. logudotcom 147,239
5. routinet 125,772
6. Roonaan 117,254
7. Ray_Paseur 102,871
8. RQuadling 97,246
9. nplib 95,578
10. yodercm 83,534
11. dr_dedo 79,410
12. rowejd 78,843
13. Xyptilon2 74,092
14. bportlock 73,198
15. glcummins 70,470

1. angelIII 824,677
2. hernst42 743,547
3. ldbkutty 688,003
4. Roonaan 645,194
5. hielo 577,435
6. wasifg 504,829
7. RQuadling 479,859
8. snoyes_jw 401,445
9. glcummins 341,783
10. gamebits 306,648
11. steelseth12 302,929
12. i_m_aamir 296,907
13. yodercm 275,770
14. TeRReF 263,550
15. Diablo84 239,472

05.04.2008 at 12:00PM PDT, ID: 23375139

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.9

Does anyone run an Open Source CMS using WAMP where Internet Administration is not allowed?

Zones: PHP and Databases, Apache Web Server, PHP Installation

Tags: Windows 3003, WAMP, PHP security, Apache Web Server, FTP, Joomla!, Enterprise computing

I need advice on showing the IT department how to configure PHP and Apache to secure the servers while allowing Joomla! to function properly. The testing is not allowed access to the Internet (as an example of their fear of hacking). The IT department is using a software development model and business process for web deployment. I need ammunition about security and safety of allowing FTP and other web services as well as Production-based management of the CMS.

I have been given the advice of locking FTP users to one directory that is set for read and write only. That is fine for downloads and uploads but does cause a problem with the way Joomla handles documents (assigning keyword tags) which would not be possible if all users upload to a specific file.

SuPHPExec is my solution (along with upping the memory allocated to PHP from the minimum), but the IT Tech doesn't understand what I mean by running this command even though I have sent instructions where to find it and how to apply it and what the results will be.

So, again, what are some strategies as a webmaster/designer to gain a paradigm shift in the IT department so that I can truly manage and maintain the CMS on the Internet and convince them that WAMP security can be achieved without compromising the functioning of my Open Source CMS (i.e., the ability to download PDFs from links in articles, the ability to comment on articles, trackback comments, syndicate articles via RSS, and so forth--all right now not accessible in the current configuration of WAMP).

Start your free trial to view this solution

Question Stats

Zone: Web Development

Question Asked By: ixchup

Solution Provided By: ahoffmann

Participating Experts: 1

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.05.2008 at 01:21AM PDT, ID: 21498682

Rank: Wizard

ahoffmann:

> .. I can truly manage and maintain the CMS on the Internet and convince them that WAMP security can be achieved without compromising the functioning of my Open Source CMS

do you know anthing about CSRF aka XSRF aka session riding?
if not, I recommend that you get used to it, then you'll re-think about above statement, I guess you'll come to the conclusion to forget about securing PHP, then your CMS as it is nearly impossible in WAMP 'cause you need to redisign your application (joomla) with security in mind first ;-)

Probably I misunderstood something in you description, let me know.

05.05.2008 at 01:09PM PDT, ID: 21502601

ixchup:

I'm sorry, but I don't know anything about the acronyms you refer to stand for, but I get the gist of what you are saying: Joomla is inherently not secure because it is on the Internet and interactive. Which is true. But how secure must a website be?

We should be running on Linux, but that is not possible due to corporate policy.

05.05.2008 at 02:15PM PDT, ID: 21503073

Rank: Wizard

ahoffmann:

> Joomla is inherently not secure..
hmm, didn't say that, just that most applications are insecure in some way ..

> But how secure must a website be?
depends on your requirements :)
I'd say that it should secure any data it handles, it should be secure that it could not be used for attacking other (camoulflaging the attacker) and that it should not be possible to deliver any kind of malware to its visitors. Not more, not less :-))

05.05.2008 at 07:49PM PDT, ID: 21504434

ixchup:

I think you are totally right but I guess I am seeking ammunition to convince my IT department who is used to deploying compiled software applications on the web and not allowing the developers to make changes to the production version that web sites, and especially database-driven sites such as are the case with CMS sites, change all the time and it is easier to manage the site from the online Administrator backend than to go through four servers each time some content has to be posted and published or a menu needs to be changed. This is a philosophical issue and paradigm shift but they use the argument of hacking to stop any FTP activity or change to the software once it is in production. This behavior emasculates a dynamic website.

So, your definition of security is right on, but it doesn't give me anything to use to convince a Windows-oriented, software development organization to open up more than port 80 and allow true interactivity on the production server.

But thank you for responding. There is so much to learn, always.

05.06.2008 at 09:36AM PDT, ID: 21508780

Rank: Wizard

ahoffmann:

port 80 is far, far, far and wide open to anything, it's designed to be that way.
And most managers complain if there is something slowing down the traffic there.
If managers care about security, they have to pay for it. That's the rule so far.
Security is process, not a product. That's true for any layer, starting at the hardware (your building) over layer 7 (http to your application) up to unnumberd layers which cover the semantics of your web application (HTML e-mails for example).
So if you're talking about web application security you have to cover all these topics, FTP seems to be the most less importent problem there, IMHO.

Accepted Solution

ahoffmann

05.06.2008 at 11:03PM PDT, ID: 21513473

even my comments are not simple and short (as I usually do:), I hope they help you anyway to get an idea to threats and risks with web applications.
Good luck.

20080236-EE-VQP-29 / EE_QW_Related_20080208