|
Joomla 1.0.15 is generally secure if your extensions are secure, you
run on a secure server and backup regularly. At least that is my
experience.
However, Joomla 1.0.15 has one vulnerability in that the "ordering" parameter in a core module, com_search, is not properly sanitised and thus vulnerable to cross-site scripting.
Using this vulnerability, attackers can compromise currently
logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. As the vulnerability is based on the core module, it affects Joomla! 1.0.x based web sites.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007 (Wikipedia)
This can be fixed - so, with regard to the above vulnerability I had previously made these
changes to search.php and search.html.php which fixed this problem.
components/com_search/search.php line 119 (approx.)
comment out these lines:
//$ordering = mosGetParam( $_REQUEST, 'ordering', 'newest');
//$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
replaced with these:
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest') ) );
$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
and components/com_search/search.html.php: (line 124 approx)
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
add the new line just after as shown below:
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
I got these from a site somewhere along, long time ago so I take no credit for the changes. I had also previously added the following line to both files:
$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
but I commented it out as filter_var it was not supported on PHP 5.1 but it might help if you are on PHP 5.2 + to have it active. If you make the above changes then Joomla 1.0.15 search component is secure again.
There is another vulnerability concerning the use of the "email this to a friend" icon. Joomla 1.0 has three icons enabled by default at the top of every page. The icon that causes a problem is the email icon. When clicked it pops up a little form that allows the visitor to send a message to another email address. Bots (or human spammers) can abuse this to send their own messages to a list of email addresses. The best thing is to disable this icon or harden the code to prevent spammers from taking advantage. To disable this functionality simply open the global configuration file and open the content tab. Check the radio box relating to the email icon display so it states 'hide'. The unfortunate side-effect of this is that you lose the useful "email this" functionality, however other tools such as jom_comment also provide this sort of functionality so it is fairly easily replaced.
Bots that know how to exploit this joomla vulnerability will be foiled by this simple change.
There are code changes you can make to the com_content component that introduce some javascript SPAM checks to foil the spammers, when I have tested them I will post them here.
For the moment Joomla 1.0.15 is secure again.
 |
Click on the image above.
(2)
Subscribe to this comment's feed