25
Making Joomla! insecure Sydney JUG 09/08/2011 Presented by Tim Plummer www.tamlyncreative.com.au/software

Making Joomla Insecure - Explaining security by breaking it

Embed Size (px)

DESCRIPTION

This presentation covers some security tips on Joomla, by demonstrating common attacks and what you can do to prevent them.

Citation preview

Page 1: Making Joomla Insecure - Explaining security by breaking it

Making Joomla! insecure

Sydney JUG 09/08/2011

Presented by Tim Plummer

www.tamlyncreative.com.au/software

Page 2: Making Joomla Insecure - Explaining security by breaking it

Test scenario

• Joomla 1.5.23 with com_hello (Hello World)

component installed

• http://joomlacode.org/gf/download/frsreleas

e/8111/29436/com_hello4_01.zipe/8111/29436/com_hello4_01.zip

Page 3: Making Joomla Insecure - Explaining security by breaking it

What version of Hello World are you

running?• http://localhost/sydjug/administrator/components/com_hello/install.xml

Page 4: Making Joomla Insecure - Explaining security by breaking it

How to protect?

• Password protect administrator folder in

cpanel

Page 5: Making Joomla Insecure - Explaining security by breaking it

How to password protect in cpanel?

1. Create user

2. Select user

3. Password protect this directory

Page 6: Making Joomla Insecure - Explaining security by breaking it
Page 7: Making Joomla Insecure - Explaining security by breaking it

So what web server & PHP version do

you use?

• Now lets look at http://localhost/sydjug/components/com_hello/models/

Page 8: Making Joomla Insecure - Explaining security by breaking it

How to protect?

• Make sure every directory has an index.html

file (or have a rule in your .htaccess to protect

you)

Page 9: Making Joomla Insecure - Explaining security by breaking it

Path disclosure

• So now let’s take a look at• http://localhost/sydjug/components/com_hello/views/hello/view.html.php

Page 10: Making Joomla Insecure - Explaining security by breaking it

How to protect?

• Make sure every php file checks for _JEXEC

• <?php defined('_JEXEC') or die('Restricted access'); ?>

• <?php defined('_JEXEC') or die(‘'); ?>

Page 11: Making Joomla Insecure - Explaining security by breaking it

SQL Injection

• Lets add some vulnerabilities to com_weblinks

• /components/com_weblinks/models/category.php

• Before After• Before After

• $id = JRequest::getVar('id', 0, '', 'int'); $id = JRequest::getVar('id');

• $this->setId((int)$id); $this->setId($id);

• WHERE catid = '. (int) $this->_id. ' WHERE catid = '. $this->_id.

• And delete return true; in _loadCategory()

• Now we have a vulnerable site to play with ☺

Page 12: Making Joomla Insecure - Explaining security by breaking it

SQL injection

• http://localhost/sydjug/index.php?option=com_weblinks&vie

w=category&id=1+CENSORED_I’M_NOT_GOING_TO_SHOW_Y

OU_HOW_TO_DO_SQL_INJECTION

Page 13: Making Joomla Insecure - Explaining security by breaking it

How to protect

• Never trust user input, always sanitize

variables, for example casting as int

• (int)$catid

Page 14: Making Joomla Insecure - Explaining security by breaking it

LFI – Local File Inclusion

• Let’s add some vulnerable code to

/components/com_weblinks/weblinks.php

• This code is vulnerable to the local file include

vulnerability as the input is not sanatised.

Page 15: Making Joomla Insecure - Explaining security by breaking it

LFI – Local File Inclusion

• http://localhost/sydjug/index.php?option=com_weblinks&controller=../../../tmp/test

• Look, I’m executing code that I shouldn’t be (I created a test.php file with phpinfo just to

demonstrate)

Page 16: Making Joomla Insecure - Explaining security by breaking it

How to protect?

• Use getWord instead of getVar

• Check if file exists

• As you can see, by using the getWord function the controller variable will be sanitised and will filter out everything except for letters and underscores. Also the file_exists also helps to protect from remote file inclusion.

Page 17: Making Joomla Insecure - Explaining security by breaking it
Page 18: Making Joomla Insecure - Explaining security by breaking it

XSS - Cross-site scripting

• http://jeffchannell.com/Joomla/joomla-

jfilterinput-xss-bypass.html

Page 19: Making Joomla Insecure - Explaining security by breaking it

Other security tips

• Always have a good regular backups (I

recommend Akeeba Backup)

• Never use default database prefix jos_ (use

Admin Tools Core from Akeeba to change) Admin Tools Core from Akeeba to change)

Page 20: Making Joomla Insecure - Explaining security by breaking it

Other security tips

• Always keep up with current Joomla version

(use Admin Tools core to update)

• Never use 777 file permission (use Admin

Tools Core fix permissions)Tools Core fix permissions)

• Change super admin user id from default 62

(Use Admin Tools Core Super Administrator ID

to change) – also recommended to set user id

62’s group to registered and disable user.

Page 21: Making Joomla Insecure - Explaining security by breaking it

Other security tips

• Get a decent .htaccess file• http://docs.joomla.org/Htaccess_examples_%28security%29

• Keep your extensions up to date (developers

often release security fixes)often release security fixes)

Page 22: Making Joomla Insecure - Explaining security by breaking it

Other security tips

• Look at your website cpanel error logs/raw

access logs (they are interesting and

sometimes scary)

• 77.221.130.18 - - [09/Aug/2011:08:54:59 +1000] "GET

/index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-"

"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“

• 77.222.40.87 - - [09/Aug/2011:13:28:02 +1000] "GET

//index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613

"-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"

Page 23: Making Joomla Insecure - Explaining security by breaking it

Other security tips

• Set error reporting to “none” in your global config

• Be careful what file extension types you allow in media manager

Page 24: Making Joomla Insecure - Explaining security by breaking it

Other security tips

• Disable unused core extensions, this way in

future if a vulnerability is identified in say

com_banners, your site wont be at risk

Page 25: Making Joomla Insecure - Explaining security by breaking it

Lessons

• Many extension development tutorials have

security vulnerabilities in them.

• It only takes one insecure extension to make

your site vulnerable.your site vulnerable.

• Security is an ongoing exercise, it’s not just

something you do when you initially set up

your site