The Anatomy of a Security Breach

“Joomla!” had an extremely serious security issue arise earlier in the week. I’m pretty deeply involved in the project, and I happened to be on the Bug Squad chat when the news broke. The issue was not a SQL injection problem, as many sources have assumed but reported as fact. Ironically, it had to do with defeating a session security feature. The security problem was a programming error. “Joomla!” goes through extensive procedures to defend against SQL injection, and from version 1.5 onward, such a vulnerability in the core code is highly unlikely. [Extensions are another matter. I strongly recommend that users only install open source extensions that have either been audited or that have broad community support.]

Even though this problem caused a fair bit of damage, I’m very proud of how the “Joomla!” team responded to the problem. This was a worst-case scenario: the exploit was published with no advance notification, and it was dead simple to implement.

The first we heard of it was a post on the Dutch “Joomla!” forums. One of the Bug Squad team mentioned this in chat on August 12th at 15:50 EST. We immediately took steps to verify the issue, and then once confirmed, to remove the details from the forum post. A patch was made available for testing at 16:10. A full package release was made available for testing at 18:19. Announcement of the release was made on joomla.org at 18:57, and by 19:40 update packages were also available. That’s three hours and 50 minutes from report to full public release. If that’s not a record I’ll be surprised.

What is distressing is that a large number of security focused sites reported this as a SQL injection vulnerability, along with a variety of other erroneous or misleading information. Almost a week later, many have corrected their errors, but several have not. Considering that the “Joomla!” team responded so quickly, and that complete information was posted as the first item on the joomla.org web site before the exploit became widely known, this suggests that many of these sites simply repeated each other’s misinformation, rather than taking even the smallest steps to verify the report.

Granted a sample size of one event is not sufficient to draw conclusions, but if this is any indication of how “trusted” security information sources behave, then it is no wonder that whole security field has a serious credibility issue. These kinds of reports are extremely serious matters, with a lot of potential for damage. Certainly the timeliness of information is critical, but hopefully not at the expense of accuracy. The security community has a deep obligation to perform the simplest verification of facts before rushing to publication.

Paris Hilton Gives Republicans a Lesson in Internet 101

I kind of like republican Presidential candidate John McCain — as a person. He seemed to have great personal integrity until last week, when his campaign started running attack ads against his Democratic opponent, Barack Obama.

Unfortunately for him, this ill-advised manoeuvre seems to have been engineered by a bunch of old dinosaurs who are completely out of touch with the reality of the Internet. I guess nobody told them that big television advertising dollars no longer get you exclusive access to the attention of the populace. Oops.

The McCain ads sandwiched Obama’s image with those of Britney Spears and Paris Hilton, deriding him as a mere celebrity, not ready to lead. I’ve always maintained that Ms. Hilton plays her public image as a lot dumber than she really is (don’t get me wrong, I’m not giving her Rhodes Scholar either), and this week Paris Hilton shot back at the use of her image in that ad.

Analysts have said that the main advantage of the McCain ads were that they got widespread news coverage, and that having segments of them lead the news gave them huge extra exposure at no cost. Unfortunately for them, it looks like Hilton’s spoof, likely shot for a few tens of thousands of dollars and featuring McCain being referred to as “wrinkly white-haired guy”, is going to get almost as much exposure.

In general, I think attack ads are crass and desperate (particularly when run by a party that is in power outside an election, but that’s another post entirely), and it’s good to see them backfire. The only real downside of this parody is that there will probably be an embarrassingly large number of ballots filed in November with Paris Hilton as a write-in candidate.

To conclude, here’s the Internet 101 summary for anyone contemplating an attack ad:

In a wired world, be careful about where you lob the muck. It’s a lot easier to fight back than you think.

In Search of an Application Framework: PHP GTK Python XULRunner

Lately I’ve been thinking about starting yet another project. This one needs a rich GUI that runs as a thin client, as well as more limited support for a web browser (or so I thought initially). I’ve gone through a bit of an eye-opening exercise while looking at the implementation, and I thought I’d record the line of exploration just in case someone else is looking at the same sort of problem. Maybe this will save a little time.

The original idea was to replace an interesting but quirky application that will remain nameless. It’s a fairly large project that implements its own thin client. As I started looking at it, I realized that a lot of what it does is more related to providing the application framework than the application itself. Sometimes I still suffer from the closed-source way of thinking, and I soon began listing requirements for my own framework. A few minutes into defining my XML markup for laying out simple interfaces, I remembered that there is already a pretty good standard for that: XUL.

At the time I was thinking of using GTK+ for the GUI. I’ve grown somewhat fond of various GTK+ applications that I’ve installed over the years. These applications have offered nice rich interfaces and have been pretty reliable. A lot of them are written in Python, and the bridge between GTK+ and Python, >PyGTK seems stable and well documented. On the other hand, Python is a little quirky and at this point I can churn out PHP code faster than anything else, perhaps PHP-GTK is the way to go.

The search is for something that lets me bridge XUL and GTK, be it in PHP or Python. This leads me to Gul, a fairly complete implementation of XUL for PHP-GTK.

Let’s try adding the GTK to PHP. I go to the PHP-GTK site and try to figure out whether to download the binary package or the binary extensions package, read confusing and incomplete install notes, search about a bit, and as best I can tell, the easiest way to run PHP-GTK on Windows is to install a complete copy of PHP with the GTK extensions. This truly fails the cross-platform and easy-to-install tests — I can manage it, but an end user? No way. Then I take a look at Gul 2.0: lots of procedural code that relies on passing things through obscure globals with two characters. Next!

On to Python. Searches for XUL and Python lead, at best, to half-developed projects dating from 2004. Not good. Now the thinking is that maybe a fairly basic XUL module for Python won’t be that much work. I look more deeply into XUL. Obviously, it’s pretty capable, after all it’s the base for Firefox and Thunderbird. But this makes the scope of a full implementation quite a lot bigger than I’d like.

Maybe there’s something in XULRunner. Wow. It doesn’t take much looking around to realize that XULRunner is pretty compelling. It’s obviously got the GUI with a full XUL implementation. It’s got scripting in Javascript, Python, even Java. It has network interfaces and support for XML-RPC and SOAP. It’s extensible: all the features that make it easy to plug extensions into Firefox are part of XULRunner. It’s got localization and custom skins. It’s got an integrated web browser. That’s about 90% of the core requirements and several bonuses right there.

Now the kicker: if you have Firefox 3.x installed, then you have XULRunner installed. Firefox knows how to do its own updates, which means the framework updates seamlessly too. Perfect.

So that’s it. Forget GTK+, nice as it is. XULRunner is a fantastic way to do GUI application development.

Now all I need is a good way to map objects back to a relational database…