The Joomla! Project takes security vulnerabilities very seriously. As such, the Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.
The Joomla Framework provides an application class for making command line applications. An example command line application skeleton: use Joomla Application AbstractCliApplication; // Bootstrap the autoloader (adjust path as appropriate to your situation). Requireonce DIR. The Joomla Framework provides an application class for making command line applications. An example command line application skeleton: use Joomla Application AbstractCliApplication; // Bootstrap the autoloader (adjust path as appropriate to your situation). Requireonce DIR.
About the JSST
In wild land firefighting, the term 'Strike Team' is used to describe a collection of similar resources, which used for a specific purpose (https://en.wikipedia.org/wiki/Strike_Team). The JSST is called a strike team because it is a collection of developers and security experts tasked with improving and managing security for Joomla. The JSST roster can be found on the Joomla! Volunteers Portal.
The JSST operates with a limited scope and only directly responds to issues with the core Joomla! CMS and Framework, as well as processing reports regarding the *.joomla.org network of websites. We do not directly handle potential vulnerabilities with Joomla! extensions or websites built by our users, however there are resources available for these categories. The Vulnerable Extensions List contains reports of security vulnerabilities in extensions and users may seek assistance with security issues on their websites from the Joomla! Forum.
To be able to fully respond to a potential security issue, the JSST asks that issue reports includes as much of the following data as possible:
- The Joomla! software (CMS or Framework) or website (*.joomla.org) affected by the vulnerability (for the software, please include the version(s) tested)
- Steps to reproduce the problem
- For the CMS or Framework, this should be what is required from a new install of the affected package
- For the *.joomla.org websites, this should be the steps taken to trigger the vulnerability
- If sharing a vulnerability reported elsewhere, please include the source of this report
- A patch may be proposed which will be reviewed by the JSST
The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. As such, we have established the following guidelines for responding to issue reports:
- Within 24 hours every report gets acknowledged
- Within 7 days every report gets a further response stating either
- the issue is closed (and why)
- the issue is still under investigation; if needed, additional information will be requested
- Within 21 days every report must be resolved unless there are exceptional circumstances requiring additional time
Signed & Encrypted Mail
- Investigate and respond to reported vulnerabilities in the Joomla! CMS, Framework, and joomla.org websites.
- Execute code reviews prior to release to identify new vulnerabilities.
- Provide public presence regarding security issues.
- Help the community understand Joomla! security.
Security Announcement Policy
- Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
- All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.
Public Responses Policy
Articles are written about Joomla! all the time. In many circumstances, these articles (even from reputable sources) contain a significant amount of misinformation.
- The JSST in conjunction with the Marketing Team will assess and address articles written about security issues
- If the article contains valid information about a vulnerability not yet fixed, we will ask the publisher to suspend the article until we can fix the issue
- If the article contains invalid information, we will note what is invalid, and ask the publisher to either fix or remove the article
- The JSST will be available to answer questions/validate any Joomla! security related articles on the publisher's request
Security Release Policy
- Critical and high-level vulnerabilities trigger an immediate release cycle
- The Joomla! project may release an advisory indicating the scheduled release window to allow site owners to prepare for the release
- Moderate vulnerabilities may trigger a release cycle depending on the specific issue
- Low and very low vulnerabilities (and moderates which do not trigger a release cycle) will be included with the next scheduled maintenance release
- All security releases will be accompanied by one (or more) appropriate security announcements
The Joomla! project will properly credit individuals and/or organizations who responsibly disclose security issues to the JSST. You can indicate the way you would like to be referred to in the advisory about the vulnerability. Our preference is to use full names. If you do not specify then we will use the contact name associated with the email address the report was received from. You can also request a pseudonym or having your name withheld.
Vulnerability Threat Levels
In accordance with the security policy from the Joomla! project's development strategy, there are two main details that contribute to a vulnerability's priority or 'threat level':
|Critical||“0-day' attacks, and attacks where site control is compromised (allows attacker to take control of the site).|
|High||SQL injection attacks, remote file include attacks, and other attack vectors where site data is compromised.|
|Moderate||XSS attacks, write ACL violations (editing or creating of content where not allowed).|
|Low||Read ACL violations (reading of content where not allowed).|
|Critical||VERY easy to perform. Relies on no outside information (TRUE 0-day attack).||As soon as possible|
|High||Moderately easy to perform. May rely on readily available outside information.||Per oCERT guidelines|
|Moderate||Not easy to perform. May rely on sensitive information.||Per oCERT guidelines|
|Low||Difficult to perform. Relies on sensitive information or requires special circumstances to perform.||Per oCERT guidelines|
NOTE: The descriptions are just generic guidelines. Each vulnerability will be assessed for damage potential and will be ranked accordingly.
All currently developed and supported versions of the Joomla! CMS and Framework will be actively monitored by the JSST.
Currently active versions include:
- Joomla! CMS - 3.x
- Joomla! Framework - 1.x
What is the Joomla! Framework?
The Joomla! Framework™ is a new PHP framework (a collection of software libraries/packages) for writing web and command line applications in PHP, without the features and corresponding overhead found in the Joomla! Content Management System (CMS). It provides a structurally sound foundation, which is easy to adapt and easy to extend.
The Joomla! Framework is free and open source software, distributed under the GNU General Public License version 2 or later; and is comprised of code originally developed for the Joomla! CMS™.
The Joomla! Framework should not be confused with the hugely popular Joomla! CMS. It is important to remember that you do not need to install the Joomla! Framework to use the CMS, nor do you need to install the Joomla! CMS to use the Framework.
The new Joomla! Framework is now available to install via Composer and you can find the list of packages on Packagist.org. There are plenty of avenues you can explore to get started on working with the Framework.
For the official docs, check out the
README.md file found in each package. You can also review the Joomla! Framework organization on GitHub.
Get the Sample Application
One of the easiest ways to get to know the Joomla! Framework is to start with looking at a sample application. This site is powered by the Joomla! Framework and serves as a great example of using the Framework.
Brian Teeman - Is Joomla Really Easy?
- Install Composer.
- Download this website application repository from GitHub.
- View in your browser.
Why build the Joomla! Framework?
Separating the framework from the CMS was a big deal, and in retrospect, a smart decision. By separating the two code bases Joomla!® can now offer the stability the CMS requires while still taking advantage of current and modern trends in PHP development.
What is the Framework good for?
- Building a RESTful web services platform
- Building both simple and complex command line tools
- Building next generation web applications
A great example is the issue tracker for the Joomla! CMS.
The Joomla! Framework has also been designed for maximum flexibility. Breaking the Framework into isolated modular packages allows each package to evolve more easily than if all packages are tied to a single, large package release. Chromium element.
Gone are the days when a PHP framework must offer anything and everything a developer needs to complete a project. The current and widely adopted modern practice is to employ lightweight independent feature-specific packages.
The Framework is distributed with Composer, and as such, allows you to include any other PHP code packages that you can install using Composer. And that's a LOT! Take a look at Packagist.org to see the kind and quality of code which becomes available when using Composer for dependency management.
What does the Joomla! Framework mean for you?
Whether you are a Joomla! extension developer looking to spread your wings & delve into developing standalone applications or a PHP coder looking for a stable lightweight framework for your next app, the Framework provides benefits for everyone.
I am already developing Extensions for the Joomla! CMS. Why should I consider using the Joomla! Framework?
You have invested significant time & effort in learning the Joomla! way of doing things & writing extensions. You can now apply this same knowledge within a non-CMS environment because the Joomla! Framework maintains a similar set of function, class, and method names.
It's important to keep in mind other situations, such as what happens when you land a project that needs a different type of application. Or when something doesn't really fit into the website or CMS box, or the CMS is simply too much overhead. There may be times when you need a simple tool to migrate data from one Business Intelligence system to another or a lightweight RESTful service to talk to a mobile application. These are all cases when a framework-based application will prove much more beneficial.
These are only a few of the many situations where a framework based solution would work far better than attempting to shoehorn a solution into the Joomla! CMS. The Joomla! Framework allows you to leverage all that Joomla! knowledge to build apps without the overhead of the CMS.
I know PHP already. Why should I use this framework?
If you are a strong coder looking for a lightweight framework that is easy to adapt and extend, you are in the right place.
The Joomla! Framework is available using Composer. This allows you to build projects from the many packages included in the Joomla! Framework as well as packages that best fit your needs from any of the other PHP frameworks that use Composer.
I am a Joomla! CMS User. How will I be affected?
Joomla Application Download
The Joomla! CMS and the Joomla! Framework are currently developed independently and, thus, the Framework's launch will not have an immediate impact for you. However, there are already parts of the Framework integrated into the CMS (e.g. the Dependency Injection package, added in Joomla! 3.2), and more is coming. Expect to see some great extensions made available to you, built using the Framework!
The Joomla! Framework aims at getting the latest in PHP developments and features into Joomla! at the framework level. This allows the CMS to better focus its aims on providing the best features for its end users and staying ahead of the game.
Bottom line, you can rest assured that your favorite CMS will continue to have a strong, up-to-date and robust base that can evolve with the web.