Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#22872] - com_installer - Feature Request to Identify Obsolete / Unsupported Modules

J3 Issue ?
avatar motwguy
motwguy
30 Oct 2018

Steps to reproduce the issue

Recently going through an older site I was examining third party modules trying to eliminate security risks. In the process I discovered several items that were either no longer supported or that had been identified as malicious on the Joomla extensions site. It would really be beneficial to flag extensions in the management screen that were no longer supported or that had been identifies as malicious. This way we could remove the functionality or look for alternative solutions, rather than have these unidentified security risks on the site.

Expected result

Identify files that are no longer supported and/or flag files that pose a security risk.

Actual result

obsolete or malicious files appear to be current (no update available).

System information (as much as possible)

Additional comments

The bots are out there probing sites for known vulnerabilities while all our files/extensions appear to be up to date.

avatar motwguy motwguy - open - 30 Oct 2018
avatar joomla-cms-bot joomla-cms-bot - labeled - 30 Oct 2018
avatar mbabker
mbabker - comment - 30 Oct 2018

It would be impossible to support this.

We couldn't introduce a system to check if an extension is supported. If it relied on calls to the JED, it would mis-report custom extensions (or even Joomla core because no parts of it are on the JED). If it relied on the extension's own update server, this still relies on the developer making an update saying "extension abandoned".

Scanning for malicious content is subjective at best and really requires a specialized service to do this. This code couldn't be included in core because of how frequently it would need to be updated, and I don't think we're going to introduce something into joomla.org that tries to emulate features from myJoomla or Sucuri or other security driven services and inherently code in the CMS that tries to send this code to us.

avatar motwguy
motwguy - comment - 30 Oct 2018

Would it be possible to link extensions to that are available on the Joomla site so that they can be listed as "current" or status "unknown"?

avatar mbabker
mbabker - comment - 30 Oct 2018

Possible? Yes. The odds of it happening? I'd suggest slim-to-none. #16474 kind of ran into the same conceptual problems about tying a core feature to a remote service.

avatar brianteeman brianteeman - change - 30 Oct 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 30 Oct 2018
avatar brianteeman brianteeman - change - 30 Oct 2018
Labels Removed: J3 Issue
avatar brianteeman brianteeman - unlabeled - 30 Oct 2018
avatar brianteeman brianteeman - unlabeled - 30 Oct 2018
avatar brianteeman brianteeman - change - 30 Oct 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 30 Oct 2018
avatar PhilETaylor
PhilETaylor - comment - 30 Oct 2018

Isn't the update server in the extensions xml? and so if that node exists in the xml and has a link in it - you could "assume" it supports updates. No need to use the JED at all. Thats about as much as core Joomla can hope for. The Joomla VEL is not fit for production purpose either.

avatar brianteeman
brianteeman - comment - 21 Feb 2019

This should be closed based on the comments of @mbabker above

avatar Quy Quy - change - 21 Feb 2019
Status New Closed
Closed_Date 0000-00-00 00:00:00 2019-02-21 22:38:37
Closed_By Quy
avatar joomla-cms-bot joomla-cms-bot - change - 21 Feb 2019
Closed_Date 2019-02-21 22:38:37 2019-02-21 22:38:38
Closed_By Quy joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 21 Feb 2019
avatar joomla-cms-bot
joomla-cms-bot - comment - 21 Feb 2019

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/22872

Add a Comment

Login with GitHub to post a comment