How to fix your Joomla installations
All Joomla 1.5.x installations are vulnerable.
Update: My patch was a bit too extreme: it filtered out perfectly legal html as well. The link above now points to the updated version.
In Joomla 1.5.2, a new set of options was added to the article parameters (see screenshot). These options allow you to set less strict filtering rules for different user groups, allowing for example managers to insert iframes in articles. However, in a default Joomla installation, no user groups are selected by default, meaning that submitted articles are not filtered at all, leaving them open for cross scripting attacks. Proper testing could have avoided this issue. Especially when messing with security, one has to be extra careful. My patch completely removes this feature, for a number of reasons:
- New features should never go in 1.5.x releases, they should go in 1.6. It’s called a development cycle, and although everybody agrees on its importance, some people still choose to ignore it and slip in new features in 1.5.x. If you want to solve particular problems for your or your customer’s sites, put it in a plugin, not in the core.
- Security should never be optional. Having settings to lessen security measures is like a big red button labeled “Don’t touch”: it’s asking for trouble.
- The new settings are way too complex. Developers can be expected to understand what filter groups, blacklists etc are all about, but most users can’t. Keep devspeak out of the user interface. Joomla is easy to use, and we should never loose this focus. We need less buttons, not more.
Update: If you do not wish to apply to the patch, you can get the same level of protection by changing some settings.
- In the backend, go to Content -> Article Manager
- Click the Parameters button
- In the popup window, scroll down to the bottom
- Select all the user groups, and select the option ‘Blacklist’ (screenshot)
- Scroll back up and click save