This is a question we face in many VAPT tests/Infosec observations: “You need to upgrade the Joomla framework”. Below is our response to the same
Is a Joomla Upgrade necessary?
uKnowva upgrade does not need a Joomla upgrade because uKnowva framework is forked from Joomla and not built on top of it. It is actually inspired from the Joomla framework, but is not completely based on that framework. What this basically means is that we have used a few libraries from the Joomla framework to build the uKnowva framework on top of which the complete HRMS, Intranet application and its corresponding underlying components/modules are built.
Who takes responsibility of the Joomla code used then?
That is completely uKnowva Team’s responsibility and we have already optimized the code for better performance and security at different levels
Is a VAPT performed on the Joomla framework used?
Yes, our VAPT vendor has done the VAPT testing of complete underlying code including the code that was forked from the Joomla framework
Can you give us similar examples for reference where a framework is forked and does not need an upgrade of the underlying framework?
· Python was inspired/forked from ABC programming language, an upgrade of Python does not need an upgrade of ABC programming language
· Objective C (in which Mac OS was written) was inspired/forked from C language.
Can Joomla plugins then be installed on uKnowva too?
No, we have disabled installing of any Joomla plugin as such plugins are not tested for security and can be a source of security threats. Extensions/Addons can be installed on uKnowva only from the uKnowva extension store. All uKnowva extensions follow a build-test-vapt cycle and are uploaded to extension store only after testing and security testing clearance.
Why does the VAPT suggest to upgrade then?
Most common reason is that the VAPT tools scan for certain patterns and files to find the underlying frameworks used and then compare them to the latest versions of those frameworks and if there is a mismatch, it suggests an upgrade, but it does not check if the framework is forked and used. Hence the suggestion.
Why was Joomla framework used for building uKnowva framework?
We started building uKnowva in the year 2012 and the team of developers working on this then had evaluated multiple PHP based frameworks like Code-igniter, Drupal, Joomla, etc. they zeroed it down to Joomla framework as it was simple, Object oriented and a very well written framework. But Joomla was primarily for building websites and not web applications then, hence it was decided to fork the framework and make the uKnowva framework out of it which later on laid the foundation for building the Enterprise grade applications like HRMS/HCM and Intranet platforms.