Joomlatools logo

Posts tagged with security

Security in third party addons

12 January 2010

Last week, two security reports caught our attention. Even though they are not directly about any of our products, they are relevant to our users. That is why we have opened a new forum to announce vulnerabilities. Please subscribe to the Joomlatools security RSS feed, or to the security forum (you need a forum account).

1. DOCman Seller

This extension allows you to sell documents through DOCman. So far the developer of this extension has not responded to this vulnerability report. As the extension’s web page doesn’t show any activity, we suspect it has been abandoned.

If you are using this extension, we advise you to uninstall it completely, until an update is released. The AEC extension might be a good alternative.

UPDATE: The entry on the extensions directory states that the component was updated to v2.2. However, the download link is broken, I couldn’t find any information on Ossolution’s site, and the site’s support page appears to have been hacked.

UPDATE 2: In the meantime the links on the JED have been updated to point to Ossolution’s new site. However, in the meantime Ossolution claims to have made a completely new version 2.5 of the extension, which no longer depends on DOCman. They refused to send us a copy, so we have no idea at all how secure it is.

2. Com_alfresco

We have investigated this report, and it does not concern the Joomla:Alfresco integration that was published through Joomlatools Labs over a year ago. We have been unable to find the developer of this extension, so we believe it might be a custom extension that is not available on the JED. If you have more information, please let us know.

If you have an Alfresco extension installed, you can identify it by opening /administrator/components/com_alfresco/manifest.xml. If it starts with the following header, you are using our secure extension. If it doesn’t, you might be using the vulnerable extension.

<name>Alfresco</name>
<author>Joomlatools</author>
<copyright>Copyright (C) 2008 Joomlatools. All rights reserved.</copyright>
<creationdate>December 2008</creationdate>
<license>http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL</license>
<authoremail>info@joomlatools.org</authoremail>
<authorurl>www.joomlatools.org</authorurl>
<version>1.0.0</version>
<description>This component displays an Alfresco repository using CMIS</description>

High level security vulnerability in Joomla 1.5.7

20 October 2008

During the Joomla Security Bootcamp, in my presentation on cross site scripting, we discovered a serious vulnerability in Joomla 1.5.2 up to 1.5.7. This issue allows an attacker to inject malicious javascript into a Joomla site. Joomlatools reported this issue to the Joomla Security Strike Team on October 4. Later on the issue was also reported on the bug trackerbut, it was removed without explanation. So far no official patch was released, so we have decided to make our own. Normally the Joomla project acts very fast when issues are discovered. It is our hope that a new patched version will be released with this patch as soon as possible.

How to fix your Joomla installations

All Joomla 1.5.x installations are vulnerable.

Update: My patch was a bit too extreme: it filtered out perfectly legal html as well. The link above now points to the updated version.

Optional Security?

In Joomla 1.5.2, a new set of options was added to the article parameters (see screenshot). These options allow you to set less strict filtering rules for different user groups, allowing for example managers to insert iframes in articles. However, in a default Joomla installation, no user groups are selected by default, meaning that submitted articles are not filtered at all, leaving them open for cross scripting attacks. Proper testing could have avoided this issue. Especially when messing with security, one has to be extra careful. My patch completely removes this feature, for a number of reasons:

  1. New features should never go in 1.5.x releases, they should go in 1.6. It’s called a development cycle, and although everybody agrees on its importance, some people still choose to ignore it and slip in new features in 1.5.x. If you want to solve particular problems for your or your customer’s sites, put it in a plugin, not in the core.
  2. Security should never be optional. Having settings to lessen security measures is like a big red button labeled “Don’t touch”: it’s asking for trouble.
  3. The new settings are way too complex. Developers can be expected to understand what filter groups, blacklists etc are all about, but most users can’t. Keep devspeak out of the user interface. Joomla is easy to use, and we should never loose this focus. We need less buttons, not more.

Update: If you do not wish to apply to the patch, you can get the same level of protection by changing some settings.

  1. In the backend, go to Content -> Article Manager
  2. Click the Parameters button
  3. In the popup window, scroll down to the bottom
  4. Select all the user groups, and select the option ‘Blacklist’ (screenshot)
  5. Scroll back up and click save

More about Joomla 1.0 end-of-life

4 October 2008

A commenter on Johan’s post about Joomla 1.0′s end-of-life wrote:

“Also its the old argument, why upgrade if its working fine? Why move to 1.5 when 1.0 is working just fine for me and my users? Why move to Vista if XP is working just fine for me and my users.”

I absolutely agree that you don’t need to upgrade when a site is working fine and doing everything you need. However, if a security vulnerability is discovered in Joomla 1.0, and no one fixes it, you are in trouble. So it’s best to upgrade to 1.5 before the expiration date of 1.0.

Software versions are never maintained ad infinitum. Some projects, like Ubuntu, have a strict end-of-life policy for each release. You always know in advance exactly how much time you have to upgrade.

Setting an end-of-life date for Joomla

Joomla hasn’t set an official end-of-life date yet for 1.0 (or 1.5 for that matter). This might sound like you still have a lot of time to upgrade, but that might not be the case. Joomla is a volunteer driven open source project. It’s dependent on how much people ‘feel like’ maintaining an older version. I doubt anyone in the project feels like doing a lot of work on 1.0 anymore, so in reality, the lifecycle could already have ended without any of us knowing it.

So that’s why we feel it’s important for the Joomla project to announce an official date for Joomla 1.0′s end-of-life asap. It serves as a promise to the community that until this date, issues will be fixed. We propose March 6, aka 03/06/09. That leaves everyone plenty of time, and it’s an easy date to remember.

It’s up to the community now to speak up: do you agree, do you think it’s too soon, or too late? Are you upgrading to 1.5 or not at all? This way we help the Joomla project to make an informed decision.

© 2006 - 2013 Joomlatools - Joomla! is a registered trademark of Open Source Matters, Inc.