Joomla is an awesome CMS and lots of people use it. It’s also one of the most commonly exploited pieces of software we see.
Securing Joomla can be a chore, and telling you how to do it completely is beyond the scope of one single blog post – but like WordPress, one of the most common Joomla issues that we see are people downloading and installing plugins that are vulnerable.
Joomla does it’s best to let you know about these plugins that can decimate your site – but you’ll only find that information if you go look for it. Just like folks who don’t read the blog likely have no idea we were at HostingCon, got new stuff, and are making major changes, folks that don’t bother to ever look at Joomla’s documentation but who actively use Joomla have no idea that there are plugins being offered that can cause real havoc with their site.
Joomla lists extensions that are being offered which are (1) Vulnerable and obviously (2) you should not use if they are on that list. One of the extensions we’re seeing being exploited repeatedly is:
Believed to be 1.5.1 version
It’s on that list, and it’s highlighted in a really nasty red so you comprehend this is a real problem, there is no patch, and you shouldn’t use it. Ok, so what if you do use it?
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.
Remember that anything you install is your responsibility to secure. Finding the holes and patching them are considered your responsibility and can usually be dealt with by simply making upgrades a part of your site maintenance. In Joomla’s case, they provide a current list of those plugins considered dangerous and exploitable for you. If what you want to use is not on there or if you want wider information, searching for your software or plugin and the word “vulnerability” will give you an idea what the issues are.
For example, the search RSMonials vulnerability brings up an enormous amount of information on the problems with this plugin:
and this “security technique” (i.e. the simple Google Search on what you are using with the word vulnerability) is, again, a cross-platform technique that can be used on and is applicable to any software or plugin, not just Joomla.
This technique can also be used by web site novices who can’t install anything that doesn’t come with a button. 🙂
If you are a programmer, you can always sanitize and plug the hole after reading about the vulnerability. If you’re of the button-click software user variety, this technique will tell you what you should absolutely not use. Vulnerable software is not something anyone should gamble on.
While we let you know after your site has been compromised, that’s truly not the way you want to find out because the moment we find the exploit, your clock starts ticking.
Repeated exploits will cause your site to be suspended and/or terminated, and if it’s an active exploit returning daily reports and re-infections, you’ll have only four days to get up to speed before it becomes a risk of you losing your site – as a host, we cannot knowingly let a site continue to serve things we know puts people at risk. The fourth exploit in a week, and we will take the site offline, and potentially not allow it back on again.
Any site running dynamically (forums, wordpress) on software is susceptible to attacks, but Joomla particularly so – especially in the realm of released plugins by independent people not associated with the Joomla project.
If you’re going to offer dynamic sites, always be aware of the things that can go dynamically wrong, and take some extra steps before you install your own welcome mat for site exploiters. Security experts put a lot of effort into getting the word out, so make sure you take advantage of the work they put in to try and keep your sites and your visitors safe.