Template Vulnerabilities on the security vulnerabilities list?

1 view
Skip to first unread message

Brad Baker

unread,
Dec 7, 2009, 3:29:34 PM12/7/09
to joomla-wg...@googlegroups.com
This is the list Claire, Pierre PhilD (and others) are maintaining (with input from others): http://docs.joomla.org/Vulnerable_Extensions_List
I think it's quite appropriate to also list Template vendors vulnerabilities such as this one: http://forum.joomla.org/viewtopic.php?f=432&t=467581

Just also wanted to use this as a thanks to the people maintaining this list for their initiative and contributions. If you see of them around, be sure to thank them too.


-----
Brad Baker
Twitter @xyzulu
The Joomla Community: community.joomla.org

Brad Baker

unread,
Dec 8, 2009, 11:05:44 PM12/8/09
to Joomla! Community Working Group Leadership
What do you think of setting up a Feedburner feed of changes to this
page we are maintaining now? That way, even if this list get's moved
to JED sometime, the actual feed url will be unchanged.
> Twitter @xyzulu <http://twitter.com/xyzulu>
> The Joomla Community: community.joomla.org

Pierre Gazzola

unread,
Dec 8, 2009, 11:19:50 PM12/8/09
to Joomla! Community Working Group Leadership
Hello Brad!

Excellent idea more exposure the better my only concern it get buried
deep
within joomla.org web site.Have you ever found any rss feed easy on
joomla?

If a menu could be link to all feed then we would have users
subscribing to it.

Do not want to sound negative, on the web site. News release maybe
about the feed may help.

The way I do it on irc the bot pull from the rss feed any new news.

Brad Baker

unread,
Dec 8, 2009, 11:25:36 PM12/8/09
to joomla-wg...@googlegroups.com
Something like http://feeds.joomla.org/3rdpartysecurity or http://feeds.joomla.org/JoomlaSecurityNews3rdParty ?

--

You received this message because you are subscribed to the Google Groups "Joomla! Community Working Group Leadership" group.
To post to this group, send email to joomla-wg...@googlegroups.com.
To unsubscribe from this group, send email to joomla-wg-commu...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-wg-community?hl=en.



-----
Brad Baker
Twitter @xyzulu
The Joomla Community: community.joomla.org

Pierre Gazzola

unread,
Dec 8, 2009, 11:30:38 PM12/8/09
to Joomla! Community Working Group Leadership
yes those are the one I pull from and warn users :)

More the better for them Not sure of a poll of new users however from
irc we see 10 a week so pass 2 months that make many not inform right

On Dec 8, 9:25 pm, Brad Baker <brad.ba...@community.joomla.org> wrote:
> Something likehttp://feeds.joomla.org/3rdpartysecurityorhttp://feeds.joomla.org/JoomlaSecurityNews3rdParty?
> > joomla-wg-commu...@googlegroups.com<joomla-wg-community%2Bunsu...@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/joomla-wg-community?hl=en.
>
> -----
> Brad Baker

Claire Mandville

unread,
Dec 9, 2009, 8:16:51 AM12/9/09
to Joomla! Community Working Group Leadership
my fault for being in a different TZ and meetings.
at the moment, i have created a test list for templates at
http://docs.joomla.org/Vulnerable_Templates_Reports as the discussion
of "is a template a vulnerable extension item or not"
then it has to be decided if we make a separate template list as most
users see a template being a non-extension/non-component item.
This would also apply to modules and plugins and not components (hope
we dont confuse people with these interchangeable terms!)

Regarding the news feed, seems most people feed from the recent
changes on docs.joomla.org wiki by http://docs.joomla.org/index.php?title=Special:RecentChanges&feed=rss
which does produce a lot of junk.
Obviously a seperate community.J section could be set up where updates
are posted or tied in with the JED if they feed from the VEL for
updates we find and report (and vice versa). Especially if there is a
option for vulnerable on their report options.

So this simple list could effectively alter the way that 3 or 4
different areas of the joomla.org site works. Docs where we report,
JED for the reports if listed on the JED and providing a possible
feed, or community.j site if placed on there for reporting to the
community in general.

And of course there is also the twitting etc

So theres my side of things..

The only question next is, how sloshed was i when i started this
project? , suppose we better start a FB "Fans of the VEL" group next

Claire Mandville


On Dec 9, 4:30 am, Pierre Gazzola <lafranc...@gmail.com> wrote:
> yes those are the one I pull from and warn users :)
>
> More the better for them Not sure of a poll of new users however from
> irc we see 10 a week so pass 2 months that make many not inform right
>
> On Dec 8, 9:25 pm, Brad Baker <brad.ba...@community.joomla.org> wrote:
>
> > Something likehttp://feeds.joomla.org/3rdpartysecurityorhttp://feeds.joomla.org/Joo...

Brad Baker

unread,
Dec 9, 2009, 2:26:24 PM12/9/09
to joomla-wg...@googlegroups.com
If we can create a feed it can far easily be shown on one of our sites. All I need is an RSS feed, and I can convert it to a feeds.joomla.org link that will stay the same, despite being able to adjust the "real" rss feed at any time.

To unsubscribe from this group, send email to joomla-wg-commu...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/joomla-wg-community?hl=en.


-----
Brad Baker
Twitter @xyzulu
The Joomla Community: community.joomla.org

Claire Mandville

unread,
Dec 9, 2009, 6:20:12 PM12/9/09
to Joomla! Community Working Group Leadership
AFAIK the only feed you can get is from the "recent changes" warts/
spam and all.

I am not sure hw we can turn the list into a feedable item, unless a
seperate security/vulnerable forum was created that the forum could
feed to/from.
Write Access to that may need to be restricted to a certain group etc
but read access for general public. I am not sure how that would
relate in the real world.
The other option is to take a feed from a possible vulnerability
articles on the community site blogs/articles as its not really a JSST
core vulnerability being discussed, but at a astretch a developer one
if you follow my thinking.

But as JSST feed is not that often, could it be placed on there? It
still depends where its coming from though! uggggh!

Claire


On Dec 9, 7:26 pm, Brad Baker <brad.ba...@community.joomla.org> wrote:
> If we can create a feed it can far easily be shown on one of our sites. All
> I need is an RSS feed, and I can convert it to a feeds.joomla.org link that
> will stay the same, despite being able to adjust the "real" rss feed at any
> time.
>
> On Thu, Dec 10, 2009 at 12:16 AM, Claire Mandville <mandvi...@gmail.com>wrote:
>
>
>
> > my fault for being in a different TZ and meetings.
> > at the moment, i have created a test list for templates at
> >http://docs.joomla.org/Vulnerable_Templates_Reportsas the discussion
> > <joomla-wg-community%2Bunsu...@googlegroups.com<joomla-wg-community%252Buns...@googlegroups.com>

Brad Baker

unread,
Dec 10, 2009, 6:08:31 PM12/10/09
to Joomla! Community Working Group Leadership
You give me a source feed (it can change anytime you want it to) and I
can give you a feed url that we can use that doesn't need to change
(keep people who subscribe happy).

On Dec 10, 10:20 am, Claire Mandville <mandvi...@gmail.com> wrote:
> AFAIK the only feed you can get is from the "recent changes" warts/
> spam and all.
>
> I am not sure hw we can turn the list into a feedable item, unless a
> seperate security/vulnerable forum was created that the forum could
> feed to/from.
> Write Access to that may need to be restricted to a certain group etc
> but read access for general public. I am not sure how that would
> relate in the real world.
> The other option is to take a feed from a possible vulnerability
> articles on the community site blogs/articles as its not really a JSST
> core vulnerability being discussed, but at a astretch a developer one
> if you follow my thinking.
>
> But as JSST feed is not that often, could it be placed on there? It
> still depends where its coming from though! uggggh!
>
> Claire
>
> On Dec 9, 7:26 pm, Brad Baker <brad.ba...@community.joomla.org> wrote:
>
>
>
> > If we can create a feed it can far easily be shown on one of our sites. All
> > I need is an RSS feed, and I can convert it to a feeds.joomla.org link that
> > will stay the same, despite being able to adjust the "real" rss feed at any
> > time.
>
> > On Thu, Dec 10, 2009 at 12:16 AM, Claire Mandville <mandvi...@gmail.com>wrote:
>
> > > my fault for being in a different TZ and meetings.
> > > at the moment, i have created a test list for templates at
> > >http://docs.joomla.org/Vulnerable_Templates_Reportsasthe discussion
> > > > > > joomla-wg-commu...@googlegroups.com<joomla-wg-community%2Bunsu bsc...@googlegroups.com>
> > > <joomla-wg-community%2Bunsu...@googlegroups.com<joomla-wg-community%252 Bunsub...@googlegroups.com>
>
> > > > > > .
> > > > > > For more options, visit this group at
> > > > > >http://groups.google.com/group/joomla-wg-community?hl=en.
>
> > > > > -----
> > > > > Brad Baker
> > > > > Twitter @xyzulu <http://twitter.com/xyzulu>
> > > > > The Joomla Community: community.joomla.org
>
> > > --
>
> > > You received this message because you are subscribed to the Google Groups
> > > "Joomla! Community Working Group Leadership" group.
> > > To post to this group, send email to joomla-wg...@googlegroups.com.
> > > To unsubscribe from this group, send email to
> > > joomla-wg-commu...@googlegroups.com<joomla-wg-community%2Bunsu bsc...@googlegroups.com>

Claire Mandville

unread,
Dec 10, 2009, 9:09:37 PM12/10/09
to Joomla! Community Working Group Leadership
Hi
I think that its boiling down to this.

Discounting the WIKI recent changes feed, as that is full of junk
(sorryyyy)
Then the choices boil down to
* a security sub forum for vulnerabilities that only a few people can
post to (probably the VEL team?).
* a feed from a clean blog from one of our sites in the vel format.

Personally the first choice would be better until the JED tie in can
be sorted.

Claire


On Dec 10, 11:08 pm, Brad Baker <brad.ba...@community.joomla.org>
wrote:

Brad Baker

unread,
Dec 10, 2009, 9:12:59 PM12/10/09
to joomla-wg...@googlegroups.com
Maybe let's follow up with the JED team then. Creating a Joomla content item on the JED could be a simply place to start at least until there is some official way to integrate.


--

You received this message because you are subscribed to the Google Groups "Joomla! Community Working Group Leadership" group.
To post to this group, send email to joomla-wg...@googlegroups.com.
To unsubscribe from this group, send email to joomla-wg-commu...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/joomla-wg-community?hl=en.


-----
Brad Baker
Twitter @xyzulu
The Joomla Community: community.joomla.org

Claire Mandville

unread,
Dec 10, 2009, 9:23:22 PM12/10/09
to Joomla! Community Working Group Leadership
thanks,
I have also posted a request for a wiki plugin to be installed by the
docs team that might solve the wiki issue. We would need to possibly
create a page every month at this rate.

I did miss off the option to post articles to the JSST blog unless
that is reserved for core only


On Dec 11, 2:12 am, Brad Baker <brad.ba...@community.joomla.org>
wrote:
> Maybe let's follow up with the JED team then. Creating a Joomla content item
> on the JED could be a simply place to start at least until there is some
> official way to integrate.
>
> On Fri, Dec 11, 2009 at 1:09 PM, Claire Mandville <mandvi...@gmail.com>wrote:
>
>
>
> > Hi
> > I think that its boiling down to this.
>
> > Discounting the WIKI recent changes feed, as that is full of junk
> > (sorryyyy)
> > Then the choices boil down to
> > * a security sub forum for vulnerabilities that only a few people can
> > post to (probably the VEL team?).
> > * a feed from a clean blog from one of our sites in the vel format.
>
> > Personally the first choice would be better until the JED tie in can
> > be sorted.
>
> > Claire
>
> > On Dec 10, 11:08 pm, Brad Baker <brad.ba...@community.joomla.org>
> > wrote:
> > > You give me a source feed (it can change anytime you want it to) and I
> > > can give you a feed url that we can use that doesn't need to change
> > > (keep people who subscribe happy).
>
> > > On Dec 10, 10:20 am, Claire Mandville <mandvi...@gmail.com> wrote:
>
> > --
>
> > You received this message because you are subscribed to the Google Groups
> > "Joomla! Community Working Group Leadership" group.
> > To post to this group, send email to joomla-wg...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > joomla-wg-commu...@googlegroups.com<joomla-wg-community%2Bunsu...@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/joomla-wg-community?hl=en.
>
> -----
> Brad Baker

Brad Baker

unread,
Dec 10, 2009, 9:37:30 PM12/10/09
to joomla-wg...@googlegroups.com
I think the original idea was for the JSST blog/feed to be for only core Joomla issues, but if need be, I can talk to the Production WG for you.. or you can.

To unsubscribe from this group, send email to joomla-wg-commu...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/joomla-wg-community?hl=en.


-----
Brad Baker
Twitter @xyzulu
The Joomla Community: community.joomla.org

Claire Mandville

unread,
Dec 10, 2009, 10:18:40 PM12/10/09
to Joomla! Community Working Group Leadership
Thanks,
If you run into them in the ext 24 hours feel free to discuss us
hijacking their feed. <grin>


Claire


On Dec 11, 2:37 am, Brad Baker <brad.ba...@community.joomla.org>
wrote:
> I think the original idea was for the JSST blog/feed to be for only core
> Joomla issues, but if need be, I can talk to the Production WG for you.. or
> you can.
>
> On Fri, Dec 11, 2009 at 1:23 PM, Claire Mandville <mandvi...@gmail.com>wrote:
>
>
Reply all
Reply to author
Forward
0 new messages