Joomla is an awesome CMS and lots of people use it. It’s also one of the most commonly exploited pieces of software we see. Securing Joomla can be a chore, and telling you how to do it completely is beyond the scope of one single blog post - but like WordPress, one of the most common Joomla issues that we see are people downloading and installing plugins that are vulnerable. As with WordPress Plugins, Joomla plugins can open up holes on your software and your site that exploiters can drive a truck through.
Check Before You DownloadJoomla does it’s best to let you know about these plugins that can decimate your site – but you’ll only find that information if you go look for it. Just like folks who don’t read the blog likely have no idea we were at HostingCon, got new stuff, and are making major changes, folks that don’t bother to ever look at Joomla’s documentation but who actively use Joomla have no idea that there are plugins being offered that can cause real havoc with their site. http://docs.joomla.org/Vulnerable_Extensions_List Joomla lists extensions that are being offered which are (1) Vulnerable and obviously (2) you should not use if they are on that list. One of the extensions we’re seeing being exploited repeatedly is:
RSMonials http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit 190610 Believed to be 1.5.1 versionIt’s on that list, and it’s highlighted in a really nasty red so you comprehend this is a real problem, there is no patch, and you shouldn’t use it. Ok, so what if you do use it?
What is an XSS Exploit?http://www.cgisecurity.com/xss-faq.html
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.Remember that anything you install is your responsibility to secure. Finding the holes and patching them are considered your responsibility and can usually be dealt with by simply making upgrades a part of your site maintenance. In Joomla’s case, they provide a current list of those plugins considered dangerous and exploitable for you. If what you want to use is not on there or if you want wider information, searching for your software or plugin and the word “vulnerability” will give you an idea what the issues are. For example, the search RSMonials vulnerability brings up an enormous amount of information on the problems with this plugin: http://www.google.com/search?q=RSMonials+vulnerability and this “security technique” (i.e. the simple Google Search on what you are using with the word vulnerability) is, again, a cross-platform technique that can be used on and is applicable to any software or plugin, not just Joomla. This technique can also be used by web site novices who can’t install anything that doesn’t come with a button. :) If you are a programmer, you can always sanitize and plug the hole after reading about the vulnerability. If you’re of the button-click software user variety, this technique will tell you what you should absolutely not use. Vulnerable software is not something anyone should gamble on.