Building the Vulnerable Website
This article is about building a new vulnerable extension list (VEL) website to support future development with the JED and Joomla core, how it was done, and why.
The VEL had been documented on the wiki which was becoming unworkable. Each VEL required an email to the VEL team, often with scant information, a change to the wiki in a certain format so that it would allow the RSS feed to be updated correctly, and then a change to the JED unpublishing the actual extension.
The problem with the wiki was the page was locked to certain people preventing editing of both good and malicious intent. Erratic searching across the whole wiki made hunting for one extension very time consuming.
Sorting the resolved and the unresolved items was a monumental task. Most of the time the whole process was managed by just two members.
What was needed was a separate website to gather all the vulnerable, resolved and useful security tips into one place, along with a simple boilerplate system for reporting new items and for developers to update their extensions.
As part of the Open Source ideals, one major requirement was that we use all Open Source extensions available to the community. All extensions used onsite are suitable for Joomla 2.5 and available free for download.
With a working group in place and discussions with Mandville, Phild, Gary Brooks and Matt Baylor, a site plan was formulated for testing to ensure the idea was workable. We also set a deadline of the May 1st to have the site ready for release. This allowed just over 2 months from start to finish.
After several weeks of installing, removing, fiddling and screaming, the site was narrowed down to the following set up and extensions:
- Joomla 2.5
- Feedgator for importing the existing vel to content and for importing the core news.
- RS forms for the vel alert and extension updates.
Our test site was then released to a few invited people from different backgrounds.
After solid testing and content import, and with just days to go till launch date, the Community Leadership Team (CLT) approached the VEL team with a view of placing the VEL website on a Joomla sub-domain. This would make the VEL team more of an officially recognized project. The VEL team agreed with the idea but stipulated that the May 1st deadline must still be met.
Thanks to Olaf (of the CLT) and his efforts, the project was then packed, moved and reformatted to the Joomla colour scheme within a week.
The site was then tested by members of the JED team and proved to be working the way it was designed to work and some ways it wasn't.
On May 1st we launched the site and locked the original VEL page on the docs wiki.