Making Joomla! insecure
Sydney JUG 09/08/2011
Presented by Tim Plummer
www.tamlyncreative.com.au/software
Test scenario
• Joomla 1.5.23 with com_hello (Hello World)
component installed
• http://joomlacode.org/gf/download/frsreleas
e/8111/29436/com_hello4_01.zipe/8111/29436/com_hello4_01.zip
What version of Hello World are you
running?• http://localhost/sydjug/administrator/components/com_hello/install.xml
How to protect?
• Password protect administrator folder in
cpanel
How to password protect in cpanel?
1. Create user
2. Select user
3. Password protect this directory
So what web server & PHP version do
you use?
• Now lets look at http://localhost/sydjug/components/com_hello/models/
How to protect?
• Make sure every directory has an index.html
file (or have a rule in your .htaccess to protect
you)
Path disclosure
• So now let’s take a look at• http://localhost/sydjug/components/com_hello/views/hello/view.html.php
How to protect?
• Make sure every php file checks for _JEXEC
• <?php defined('_JEXEC') or die('Restricted access'); ?>
• <?php defined('_JEXEC') or die(‘'); ?>
SQL Injection
• Lets add some vulnerabilities to com_weblinks
• /components/com_weblinks/models/category.php
• Before After• Before After
• $id = JRequest::getVar('id', 0, '', 'int'); $id = JRequest::getVar('id');
• $this->setId((int)$id); $this->setId($id);
• WHERE catid = '. (int) $this->_id. ' WHERE catid = '. $this->_id.
• And delete return true; in _loadCategory()
• Now we have a vulnerable site to play with ☺
SQL injection
• http://localhost/sydjug/index.php?option=com_weblinks&vie
w=category&id=1+CENSORED_I’M_NOT_GOING_TO_SHOW_Y
OU_HOW_TO_DO_SQL_INJECTION
How to protect
• Never trust user input, always sanitize
variables, for example casting as int
• (int)$catid
LFI – Local File Inclusion
• Let’s add some vulnerable code to
/components/com_weblinks/weblinks.php
• This code is vulnerable to the local file include
vulnerability as the input is not sanatised.
LFI – Local File Inclusion
• http://localhost/sydjug/index.php?option=com_weblinks&controller=../../../tmp/test
• Look, I’m executing code that I shouldn’t be (I created a test.php file with phpinfo just to
demonstrate)
How to protect?
• Use getWord instead of getVar
• Check if file exists
• As you can see, by using the getWord function the controller variable will be sanitised and will filter out everything except for letters and underscores. Also the file_exists also helps to protect from remote file inclusion.
XSS - Cross-site scripting
• http://jeffchannell.com/Joomla/joomla-
jfilterinput-xss-bypass.html
Other security tips
• Always have a good regular backups (I
recommend Akeeba Backup)
• Never use default database prefix jos_ (use
Admin Tools Core from Akeeba to change) Admin Tools Core from Akeeba to change)
Other security tips
• Always keep up with current Joomla version
(use Admin Tools core to update)
• Never use 777 file permission (use Admin
Tools Core fix permissions)Tools Core fix permissions)
• Change super admin user id from default 62
(Use Admin Tools Core Super Administrator ID
to change) – also recommended to set user id
62’s group to registered and disable user.
Other security tips
• Get a decent .htaccess file• http://docs.joomla.org/Htaccess_examples_%28security%29
• Keep your extensions up to date (developers
often release security fixes)often release security fixes)
Other security tips
• Look at your website cpanel error logs/raw
access logs (they are interesting and
sometimes scary)
• 77.221.130.18 - - [09/Aug/2011:08:54:59 +1000] "GET
/index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“
• 77.222.40.87 - - [09/Aug/2011:13:28:02 +1000] "GET
//index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613
"-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
Other security tips
• Set error reporting to “none” in your global config
• Be careful what file extension types you allow in media manager
Other security tips
• Disable unused core extensions, this way in
future if a vulnerability is identified in say
com_banners, your site wont be at risk
Lessons
• Many extension development tutorials have
security vulnerabilities in them.
• It only takes one insecure extension to make
your site vulnerable.your site vulnerable.
• Security is an ongoing exercise, it’s not just
something you do when you initially set up
your site