Steampunk Widgets - Elements of the past and the future combining to make something not quite as good as either

Steampunk Desktop Widgets

This site is dedicated to provide interesting downloads, mainly Steampunk widgets for Xwidget, Rainmeter, Yahoo Widgets and KDE Plasma engines as well as wallpapers and icons. Please feel free to download and use any of these on your Windows or Linux system. Simply download the widgets for the widget engine of your choice and have fun. They are all entirely free.
You are here:
Is Joomla 1.0.15 still secure? PDF Print
(12 votes)

Joomla 1.0.15 is generally secure if your extensions are secure, you run on a secure server and backup regularly. At least that is my experience. Arguably more secure than a typical Joomla 1.5 or more recent site. This is because the later versions of Joomla have new and undiscovered vulnerabilities especially in the components that comprise a typical Joomla site.

Some of the fixes listed below are easy to implement, some require some work and others may require capabilities that you don't currently have. Don't worry about that, just implement what you can and then return to accomplish the more difficult taskas as and when you have the necessary skills. We will be updating this page from time to time as new vulnerabilities are discovered.

Com_search Vulnerability 

Joomla 1.0.15 has two recently discovered vulnerabilities in the core code: the first is that the "ordering" parameter in a core module com_search, is not properly sanitised and thus vulnerable to cross-site scripting. Using this vulnerability, attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. As the vulnerability is based on the core search functionality module, it affects all Joomla! 1.0.x based web sites.

antiquesafe01.pngExplanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007 (Wikipedia)

Solution: This vulnerability can be fixed - so, you need to make the following changes to search.php and search.html.php which fixes this problem.

components/com_search/search.php line 119 (approx.)
comment out these lines:

//$ordering = mosGetParam( $_REQUEST, 'ordering', 'newest');

//$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );

replace with these:

$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest') ) );
$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );

and components/com_search/search.html.php: (line 124 approx)

$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );

add the new line just after as shown below:

$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );

Com_Media Vulnerability

The second core vulnerability is a potential file inclusion loophole in the com_media component, this vulnerability was first discovered in Joomla 1.5 systems but is also exploitable in Joomla 1.0.xx. Hackers will use this vulnerability to include files that may be used to perform other actions within your website. Once again, this is a sanitisation of input issue.

An company known as netshine has back-ported the Joomla 1.5 changes to prevent this type of file inclusion from occurring.

line 32-34: in administrator\components\com_media\admin.media.php

Replace function makesafe with this version:

function makeSafe( $file ) {
    /** Netshine Software Ltd. Security patch for Joomla 1.0.15 file uploads 2013-08-02 **/
    // Remove any trailing dots, as those aren't ever valid file names.
    $file = rtrim($file, '.');
    /** Security patch for Joomla 1.0.15 end **/
    return str_replace( '..', '', urldecode( $file ) );
}

 line 215:

 Where you find this code:

    if(!$noMatch){
        mosRedirect( "index2.php?option=com_media&listdir=".$_POST['dirPath'], 'This file type is not supported' );
    }

Add this code immediately after the above lines.

    /** Security patch for Joomla 1.0.15 file uploads 2013-08-02 **/
    if (substr($file['name'], -4, 1) !== ".")
    {
        mosRedirect( "index2.php?option=com_media&listdir=".$_POST['dirPath'], 'This file type is not supported' );
    }
    /** Security patch for Joomla 1.0.15 end **/

 

If you make the above changes then you can make CORE Joomla 1.0.15 secure again.  However there are other vulnerabilities and approaches that you can use to make your particular website more secure.

 


If you are going to continue to use Joomla 1.0, security requires that you patch the site to the latest 1.0 release, 1.0.15, it also requires that you run on a secure joomla host that uses suPHP, with all the latest security tools to securely host your site. Most importantly, you must install any utilities that you need to take very regular full backups. Then you need to take the backups! There is no better way to secure your site than regular backups.

  -oOo-

Other Vulnerabilities

This section lists other Joomla vulnerabilities but also lists the things you can do to resolve them:


padlock.pngFirst of all, you need to do the basics, make sure that your hosting understands the vulnerabilities inherent in Joomla and provides a configuration that supports your installation.When you look at the system information screen in Joomla 1.0 you should see the following:

 
Joomla! Register Globals Emulation: OFF
Register Globals: OFF
Magic Quotes: ON
Safe Mode: OFF
File Uploads: ON
Session auto start: OFF

Disabled Functions: dl, system, exec, shell_exec, popen, passthru, proc_open, ini_restore, symlink

If the hosting differs from this then simply host elsewhere.  You may think you know what you are doing and can host it yourself, if you can handle the security issues - well that's fine but frankly there's no need. Good Joomla hosts can be found cheaply and they will do all the sys. admin. for you.

-oOo-

padlock.pngEnsure all admin Accounts are secure with long and complicated passwords with small letters and numbers and strange characters that cannot be guessed. Make sure any or all passwords are of this type of complexity - %@£4r_fgJT#" - This will give you a fair chance at being able to foil any spambot trying to guess any password using brute force and guesswork.

-oOo- 

padlock.pngDon't share administrator passwords between sites no matter how tempting this might be. Make sure each site has its own unique administrator passwords. If you have multiple sites this can be a real pain but frankly it is necessary to ensure that if one site is compromised, the others are kept safe. You can use Firefox to securely save your passwords as long as you have a master password in place. The site passwords will be encrypted and tools are available to allow the passwords to be edited, saved and exported. With these tools in place you will be able to store unique passwords for each site.

-oOo- 

padlock.pngCheck the site is configured to work with permissions on files and folders set securely, files should be set to 644 and folders to 755, anything else is a mistake regardless of any component or extension requirement. If your host requires different settings for your site to work, then host elsewhere!

-oOo- 

padlock.pngCheck all your components are secure versions. There are lists on the net that you can check against. You may be using pre-release versions that have not passed all the security requirements, Jambook is an example, earlier versions of the product did not sanitise user input correctly leaving sites using it vulnerable, upgrade the beta versions to 1.0 and you should be safe again. Sanitising user input prevents such incursions as SQL injections. Look at the vulnerability lists for Joomla 1.0 and not those for later versions of Joomla. The good thing about running Joomla 1.0 components is that almost all of the vulnerabilities will have already been identified.

-oOo-  

padlock.png

Place a captcha on the administrator login page, user registration pages.  Walter Cedric's security images is a good one for J1.0 which can also be configured to function on the contacts page, this vital to stop bots and spammers bombarding you with junk mail.

The following files will need to modified as shown here: manual (I will improve this manual shortly as it is  incomplete  and a bit naff ...)

/public_html/components/com_registration/registration.html.php
/public_html/components/com_registration/registration.php
/public_html/includes/joomla.php
/public_html/components/com_contact/contact.html.php
/public_html/components/com_contact/contact.php
/public_html/modules/mod_login.php
/public_html/administrator/index.php


To insert the captcha on the administrator login page template, for example:

/public_html/administrator/templates/joomla_admin/login.php   line 57, you simply add the following code:

                <?php
                    //security image by www.waltercedric.com
                    if (file_exists($mosConfig_absolute_path.'/administrator/components/com_securityimages
/patches/joomla.adminlogin.html.php')) {
                        require_once ($mosConfig_absolute_path.'/administrator/components/com_securityimages
/patches/joomla.adminlogin.html.php');
                    }
                    //end security image by www.waltercedric.com
                ?>

-oOo-  

padlock.png

Enable Re-Captcha image security. Some plugins such as jom_comment can work with recaptcha, the two-tier security system run by google that is used by many large websites. It is more secure than the usual captcha and all that is needed to enable it, is a recaptcha key which is easily obtained here: http://www.google.com/recaptcha/admin/create

-oOo-   

padlock.png

Extend any other captcha you are using to 6 characters. It seems that some of the cleverer bots are now able to defeat 4 character captchas. You need to make it as difficult as you can for the bots. Unfortunately, captchas are a real pain for your real visitors. There is nothing you can do about that. Walter Cedric's security images can be extended to six characters.

-oOo-  

padlock.pngChange the default admin username to something else more secure. Create a new super administrator user first, test it and then remove the old admin account altogether. The reason it is done this way is to avoid using the default super admin id number of 62. Hackers using SQL injections will attempt to make use of the default admin id number to inject information into the user id table.

-oOo-  

padlock.pngCreate a duplicate site on a test server and keep it under wraps until it is needed for testing or as a warm standby in case the live site fails. Keep this site regularly up to date and don't slavishly copy code from live to test though as you may be copying over some nasty junk too. Check everything you copy over for hacks/infections. No need to infect both sites. You can create a duplicate site using the cpanel backup tool -  it is very easy to backup and restore a site.

-oOo-  

padlock.pngNote: Your duplicate sites are a security risk as they may have trial components installed which may be vulnerable. The trial sites may also beless secure that the live systems. Keep your passwords safe and ensure they are different to the live sites.  I was once asked to break into a live site when the administrator had gone on holiday leaving the system locked. Accessing the test site was easy, and from there I was able to reassemble hashed passwords that were the same as on the duplicate live site.

-oOo-  

padlock.pngUse Ghanja Interceptor or similar to secure the site, this is an anti- SQL injection tool that works on Joomla 1.0. A simple installation of this mambot can protect your whole website from any vulnerabilities in your extensions, it is a great tool and will prevent hackers from injecting code into your site - but remember! - just because you have it installed does not mean you can sit back and relax, you still have to fix those vulnerable extensions.

-oOo-  

padlock.png

Avoid using IE as anything other than a test tool to see if your site works. Do NOT browse the web using IE - it is embedded into your o/s and any browser hack can affect or damage your operating system. IE has traditionally been the most vulnerable of all the browsers.

 -oOo-  

padlock.png

My suggestion is Firefox, there are several plugins for FF that allow you to test and secure your website, noscript to block any nasties on any websites that you visit and SQL inject me! which tests your own site for possible SQL injections. You may not agree on my choice of browser, I do agree Chrome is a useful browser for day to day use but the tools you need for security and development are mostly available for Firefox.

-oOo-  

padlock.png Secure your own PC - Many sites are hacked from infected PCs. Install and run Malwarebytes and have a good antivirus tool such as Avast running! When you access your site through FF and if you have these anti malware and and anti virus tools running you should be protected against any bad script malware that tries to do anything nasty to your PC. These tools will make you feel a lot safer. Avoid Norton Security like the plague, it is the most interfering of all the a/v tools and often acts like a virus itself. It slows your machine down considerably, interferes with the very heart of the o/s, slowing the system, stops applications from operating correctly, is difficult to remove and insists that you regularly pay somebody money for your application to continue running... sounds like a virus to me.

-oOo-  

padlock.png Change the default joomla generator tag to stop saying "Joomla 1.0" as this gives an attacker a pretty big hint as to the site CMS type and version ! How do you do this? You install a plugin that has this functionality built-in or you change some code to do this, all by yourself. Simply find and edit  /includes/frontend.php and comment out this line at approx. line 195.

//$mainframe->addMetaTag( 'Generator', $_VERSION->PRODUCT . ' - ' .
$_VERSION->COPYRIGHT);

-oOo-  

padlock.png Move/redirect your configuration.php to a secure folder, preventing anyone from reading it at all. On Cpanel simply copy the file to the root folder above public_html and rename it to joomla-configuration.php, then modify the current configuration.php to hold the following line:

<?php
require( dirname( __FILE__ ) . '/../joomla-configuration.php' );
?>  

           After this you can set the permissions on configuration.php to make it read only so that no-one can write to it. From this point onward to not use Joomla's configuration editor to make changes but instead edit the joomla-configuration.php file manually.

-oOo-  

 padlock.pngUse .htaccess to protect the administrator folder. This can be done in either of two ways, simply or deny access to all  devices except from a specific IP address or set a password on the administrator folder. This is done to prevent bots from identifying the site as a Joomla site. Any bot can simply add /administrator to a site name and if the site is a Joomla one then the administrator back end will pop up. It is possible for a bot to identify which version of Joomla you are running from the back end.

The first option is only useful if you use a fixed IP address, take care of this one or you will be locking yourself out! create an .htaccess file in the administrator folder and add the following code. Replace the IP address shown with your own static IP address.

Deny from all
Allow from 208.123.45.34 *

* You can find what the world thinks is your own IP address by going to sites such as http://whatismyip.org. Note that if you carry out this change then you will not be able to access your site from anywhere else except for the location that has the assigned IP address.

The second option is to add a password. This is done by creating two files in the administrator folder:

.htaccess
.htpassword

The .htaccess file should contain the following code:

AuthUserFile "/home/cpanelname/public_html/administrator/.htpasswd"
AuthName "Restricted Area"
AuthType Basic
require valid-user

RewriteEngine On
RewriteRule \.htpasswd$ - [F,L]

Change the site location '/home/cpanelname/public_html' to match your own.

The .htpasswd file will contain a username and a hashed password such as this:

username:dEsRshne/GRE

The hashed password  can be created on a linux server or using a service such as found here: http://www.htaccesstools.com/htpasswd-generator/

-oOo-  

padlock.png.htaccess and .htpasswd functionality is only available on linux servers. If you are using Windows servers to host and secure  your site then you will need to find another method.

-oOo-  

padlock.pngEnable SEF URLs - Most hackers use the Google inurl: command to search for a vulnerable exploit. With SEF enabled this sort of attack is denied to an abuser. Use a package such as Artio JoomSEF or SH404SEF. Artio JoomSEF is my SEF tool of choice, it is commercial but very good and extendable.

-oOo-  

padlock.pngArtio JoomSEF has an option to force all non SEF URLs entered manually to be turned into their SEF equivalents. This quite a useful function helping to obscure standard Joomla URLs. Note though, if you are using any components that need and do not have a JoomSEF extension you may need to take care as it can break bits of your site.

-oOo-  

padlock.pngArtio JoomSEF has a vulnerability too. On all pages that are SEF-ed, Artio inserts some text in small font at the bottom of each article, "JoomSEF by Artio". This text could be used to identify the site as a Joomla site. This insertion of this text is done using various methods depending on the version of Artio you are running. How to remove this code from Artio JoomSEF 2.3.2 can be found here: . To find out how to remove this on other versions of Artio JoomSEF click here

-oOo-  

padlock.pngDo not install any extension until you know how it acts and how vulnerable it might be... Install and try it on a duplicate test site first. Review the extension on t'net and find out what the issues are. This is especially achievable on Joomla 1.0 as nearly all the issues will have already been identified. Create a list of all extensions you use and try to monitor them. For example you can use Google or security websites for staying informed about the latest vulnerabilities. Only use secure extensions that you trust implicitly.

-oOo-  

padlock.pngRemove any extensions that you don't really need. They may well be the target of hackers in the future if any inputs to their code are not properly sanitised. Use tried and tested extensions only. This applies to modules and mambots as well as components.

-oOo-  

padlock.pngFTP layer should be set to OFF - the FTP password is built into the system in plain text, easily accessible so don't enable the FTP layer on your Joomla site. On a properly configured host the FTP layer should not be needed. If you do decide to enable the FTP layer then put the configuration.php file in a secure and unreadable location such as the root folder as shown above.

-oOo-  

padlock.pngDisguise any email addresses, preferably remove any email addresses and do not allow any of them on your site. All references to email addresses should be replaced by links to a contact form.

-oOo-  

padlock.pngRemove vcards from all contact forms as bots will visit your sites to try and harvest the email addresses contained within. The idea is that you try to hide information that will be useful to spammers.

-oOo-  

padlock.pngGuestbook emails showing email addresses - some guestbooks will display the email addresses of visitors who have left their contact details. This functionality should be removed or hidden. If not possible then simply remove the email addresses from each guestbook entry.

-oOo-  

padlock.pngThere are several "recommend a friend" components - each of them allow a visitor to send one or more emails to other recipients but the downside is that they will seem to appear from your site and can be used to send spam. These sort of extensions must be protected by high quality captchas which may defeat the bots. Bear in mind that the spammers now employ hordes of humans (paid at one penny per captcha resolution) and no captcha will defeat a human spammer - my suggestion is to remove this sort of component altogether.

-oOo-  

padlock.pngThere is another minor vulnerability concerning the use of the "email this to a friend" icon that can result in spam from your site. This is NOT unique to Joomla 1.0 and in fact affects all versions of Joomla and most other CMS websites.

Joomla 1.0 has three icons enabled by default at the top of every page. The icon that causes a problem is tstamp.pnghe email icon. When clicked it pops up a little email form that allows the visitor to send a message to another email address. Bots (or human spammers)  can abuse this to send their own messages to a list of email addresses. The best thing is to disable this icon to prevent spammers from taking advantage. To disable this functionality simply open the global configuration file and open the content tab. Check the radio box relating to the email icon display so it states 'hide'. The unfortunate side-effect of this is that your genuine visitors lose the useful "email this" functionality. Bots and humans that know how to exploit this joomla vulnerability will be foiled by this simple change.

Be aware also that other tools such as jom_comment also provide this sort of functionality so it needs to be removed, both site and component-wide.

-oOo-  

padlock.pngRename the Joomla massmail component if not used. Mass mail components are a target for hackers looking for a tool to use once they have found an exploit. If you don't need it, turn it off or remove it. As the mass mail component is a core module for Joomla you can't just uninstall it. Instead use your FTP client and simply rename the folder it resides in to something obscure. The hackers will not be able to identify it and any loophole will remain unfound. Even later versions of Joomla were laid vulnerable to hacks through the massmail component. Joomla 1.5.22 was a virtual open relay that allowed spammers to email anyone.

-oOo-  

padlock.pngEnable smtp mail instead of phpmail - create a unique email account and configure the site to use the username and password, only do this if your configuration.php file is located in a secure folder. You have to add the email username and password in plain text in the configuration file and as a result on an insecure installation the email password will be visible. If you move the configuration file to a secure non-readable location the details are secure. See the instructions above. 

-oOo-

padlock.pngTurn off phpmail, php mail() function acts like an unauthenticated email client, this is an unecessary loophole in your site which you need to block. If a hacker manages to take control of a badly written extension he may be able to use it to send Spam emails. To block PHP mail you can simply ask your host to disable PHP mail for a particular domain. A friendly host will do this automatically as requested. IF you have to do it manually then you have to create a php.ini file in your site root and add the following directive.

disable_functions = mail


Note: Local php.ini files only have an effect if your server is configured to use them. You may have to ask your host to disable phpmail for the one domain and then restart apache before this change will come into effect. If your server is configured to prevent you specifying any directives then simply ask your host to turn off phpmail for a single domain. They must do this for you, if they are preventing you from specifying PHP directives. If they say they can't make the change themselves then host elsewhere.

This will have the intended effect of stopping any naughty extensions that call PHP mail directly from being able to send out emails. some of the badly-written extensions will do this. All extensions should call mosmail which is the correct method of sending email from a Joomla website.

Note: Walther Cedric's Security images is one extension that does not call email correctly. If you want email logging to work after disabling PHPmail you will need to change logger.php, in /public_html/administrator/components/com_securityimages  line 93 from this:

mail($securityImagesAdminEmail, _HASHCASH_ADMINMAILHEADER, $content, "From:
".$securityImagesAdminEmail);


to this:

mosMail($securityImagesAdminEmail,$securityImagesAdminEmail, $securityImagesAdminEmail,
" Admin Login ". $mosConfig_sitename, $content, true );


All components should be using mosmail. The only way to find out is to copy all the files down to the local PC and use a tool like baregrep to search for all occurrences of mail(   then check and change all of the occurrencies to mosmail in a similar fashion to that shown above. When this is done all your components will email correctly using SMTP authenticated mail.

-oOo-

padlock.pngThe above changes to email will prevent your site being used by spammers. If this occurs your domain and the ip address it uses may be flagged as a spam IP address.  If you are on a shared server where you share the ip address you run the risk of being shut out of the server by the host. It is possible to configure your cpanel using EXIM to keep a copy of all outgoing mail for your specified account. This mail can be sent to another address such as archive-mail@lightquick.co.uk and the result is that you can monitor all outgoing mail at your leisure in an easily readable form.

By editing the following exim configuration file in WHM  /etc/cpanel_exim_system_filter and then adding the following code at the end of the template :

### FORWARD ALL INCOMING AND OUTGOING MAIL FOR A USER ###
if ("$h_to:, $h_cc:, $h_bcc" contains "user@lightquick.co.uk")
or ("$h_from:" contains "user@lightquick.co.uk")
then
unseen deliver "archive-address@lightquick.co.uk"
endif

After a restart Exim will start forwarding the email as instructed. Note you have to have access to WHM and to the EXIM control panlel in order to do this.

-oOo-  

padlock.png

Avoid using any FTP tool on your PC that takes passwords and stores them in plaintext. Filezilla is one tool that has done this in the past and using Filezilla on Windows can be tantamount to opening an enormous door to your server and inviting all the hackers in! Use only the latest versions of a secure tool and ensure you have a method to obscure your passwords. I simply will not use filezilla at all as it is an appallingly insecure program for windows...

WinSCP and WS FTP both have password obfuscation or AES encryption, the first is free and open source, so in almost all respects is better!

-oOo-  

padlock.png

Rename the database tables - This isn't as easy as it sounds but the benefits are great. If you rename the database tables it means that any attempted SQL injections that refer directly to the database tables by name will be unable to find them and as a result will fail.

You can do it manually - If you have CPANEL then you can access phpmyadmin where the tables will be listed. In order to change the database table names you will need to know the correct syntax for the SQL commands to rename all the tables. It can be done one table at a time but it is best to  do it via an SQL script. You will also need to modify the configuration.php file to change $mosConfig_dbprefix to refer to the renamed tables correctly.  A PHP script to do this can be found by downloading it here : It works for Joomla 1.0.15, tried and tested on several Joomla 1.0.15 sites. First of all backup your site in FULL. Edit the file and change the db_prefix to the prefix you desire. Copy the file into the root and run it thus:

http:/www.sitename.co.uk/rename.php

When you have completed the task, remove the file completely as you do not want it to exist on your site once the job is done. Subsequent to this all you need to do is change your configuration file to correspond to the new table names - something like this:

$mosConfig_dbprefix = 'pre_';

If you use this SQL script then you do so at your own risk! Take backups beforehand so that if something goes wrong then you can restore the site as it was before your changes. Some poorly written components may have the default table names hard-coded into the code. These extensions may fail after the change. Personally I have not yet encountered an extension like that for Joomla 1.0.15. 

-oOo-  

padlock.pngIf you are running CPANEL then you should have access to Spam Assassin. Turn it on.  Spam Assassin works on both incoming and outgoing email. SpamAssassin is an automated email filtering system that attempts to identify spam messages based on the content of the email's headers and body. It will help to prevent any nasty hacker that tries to take over your site from sending spam. All spam can be chucked into a junk box so that you can view any spam that is caught.

-oOo-  

padlock.pngEnsure that your installation folder does not still exist. Earlier versions of CPANEL left the installation folder intact after installing Joomla 1.0. This is a significant security risk.If a hacker knows the installation folder then he can run the install script and wipe your installation. The installation folder in this case is \temp\installation\install.php - if it exists, remove it.

-oOo-

padlock.pngThe backend of the Joomla Administration page states everywhere that the site is a Joomla site. It even states the Joomla version. All a hacker has to do is to take your domain name and put \administrator at the end to see whether the site is joomla and specifically Joomla 1.0. It is very hard to obscure this information unless you make several fundamental changes to the administrator main index.php and login.php in the \administrator\templates\joomla_admin folder. What I have done is change line 23 of login.php to:

<title><?php echo $mosConfig_sitename; ?> - Administration</title>

and line 71 to:

<p>Welcome to "<?php echo $mosConfig_sitename ?>"</p>

 This simply removes the words Joomla from being visible to humans at the backend. I have also created new versions of the two image files found in the admin images folder:

header_text.png

 

/public_html/administrator/templates/joomla_admin/images/header_text.png

version.png

 

/public_html/administrator/templates/joomla_admin/images/version.png

Both these images state the CMS name and the version number. I simply use photoshop to create new versions with the information removed as shown above. You can view this images and save them locally, then copy them up to the server replacing the originals.

I have also modified the following file:

/public_html/includes/version.php

On line 43 you will see the following line:

     var $URL         = '<a href="javascript:void(0);"is Free Software released under the GNU/GPL License.';

replace it with this:

     var $URL         = ' ';

These change will stop Joomla openly advertising itself when you look at the site administrator log in page. Be aware thought that the above changes to the admin back end are largely cosmetic as you can still obtain information about the site by viewing the source.

Note: If you password protect the administrator folder with an .htaccess as described earlier then the admin backend will not be visible to anyone - so the above work to stop the site saying "Joomla" will not be strictly necessary.

-oOo-  

padlock.pngThe above list is what I do to secure a J1.0 site. It seems like a lot of work but in fact most of the above applies to Joomla 1.5+ too. Joomla 1.5 does have the added benefit of having a larger community that can assist with Joomla 1.5+ issues but if you are reading this then you don't have J1.5 and have already determined that the migration path to J1.5 is too much work to contemplate. Also, you should not assume that migration is the solution to all your problems. If you believe that then you will have to accept that you will need to rebuild your site regularly due to the increased frequency of major Joomla releases. Each Joomla release requires a full migration which is in effect a new site each and every time. So far we have had Joomla 1.0, 1.5, 1.6, 1.7, 2.5 and now 3.0. By sticking with Joomla 1.0 you have actually saved yourself a lot of time and a lot of money, all of which others have wasted on migration after migration.

-oOo-  

 

3rd party components can have their own vulnerabilities. Here we will list a few:

Virtuemart :

padlock.pngIf you have Virtuemart 1.0 installed then your site can be exploited by using a simple vulnerability where emails can be sent unsolicited from your site.

  /administrator/component/virtuemart/html/shop.recommend.php.

This page allows visitors to recommend a VM product to another potential shopper. Unfortunately the nasty spammer can get hold of this page and fill in the fields and send a spam email so that email appears to come from your site using your domain name.

Turning off this feature in VM 1.0 does not help as the page is still available by direct access. Simply delete or rename this page to something obscure to remove this vulnerability and then remember to turn off the feature in VM too.

-oOo-  

padlock.pngThe Virtuemart 1.1 "ask a question about this product" link can generate spam as there is no captcha on the contact form it links to.  A way around this is to  simply change the text to an image.

Modify the following file:
/public_html/administrator/components/com_virtuemart/languages/shop/english.php

find the following text labels and change them as shown below, substituting each text string for an equivalent image:

    'VM_PRODUCT_ENQUIRY_LBL' => '<img src="images/stories/ask-a-question.jpg">',
    'NAME_PROMPT' => '<img src="images/stories/enteryourname.jpg">',
    'EMAIL_PROMPT' => '<img src="images/stories/enteryouremail.jpg">',
    'MESSAGE_PROMPT' => '<img src="images/stories/enteryourmessage.jpg">',

Copy these images (or similar) to the images/stories folder:

enteryouremail.jpg enteryourmessage.jpg

enteryourname.jpg ask-a-question.jpg

 

This may help confuse the spambots as they will be unable to read the images identifying the link and the email form fields.

 

-oOo-  

 

MMSBlog :

padlock.png If you have MMSblog installed then your site email can be exploited if the hacker can access the following file:

/public_html/components/com_mmsblog/mmsblog.config.php

This file contains the login details of the user account required by MMSBlog to send mail to the site via mms messaging or content by email. If the hacker obtains the information contained therein then he can send mail just as if it is coming from your site. This file should be protected, set the file protection to o:wr w:r (0640 in octal). Check that your PHP files are not visible in plain text to the world by typing the following in your browser:

www.domain-name.com/components/com_mmsblog/mmsblog.config.php

The browser should not display the file contents.

To be thoroughly sure that the contents are safe, move the mmsblog.config.php file to the root above public_html rename it to mmsblog-configuration.php and then call it from a brand new replacement mmsblog.config.php containing just the line:

<?php
require( dirname( __FILE__ ) . '/../../../mmsblog-configuration.php' );
?>

This will keep the email address details away from prying eyes, the cpanel root that exists above public_html is not accessible and therefore any files in it can be considered safe.

-oOo-  

 eXtplorer :

padlock.png The popular component com_extplorer has a serious (massive) vulnerability, if this component is installed then it allows full access to the site files when the correct URL is entered of this format:

http://www.sitename.com/administrator/components/com_extplorer/

The component presents a login/password screen which allows a default username and password of admin/admin. The solution to this vulnerability is to uninstall this component NOW. It is an appalling oversight by this well-known developer that this vulnerability has been allowed to be introduced. This defect exists for even the most modern versions of Joomla. This bug is in no way restricted to Joomla 1.0 but even affects Joomla 3.0.

  -oOo-  

Joomla Cloner or Xcloner

This utility is a useful backup tool but it has multiple vulnerabilities that hackers have discovered and are utilising. It is called Joomla cloner on Joomla 1.0.15 but from 1.5 onward it has been renamed Xcloner. The vulnerabilities are as follows:

1. Arbitrary command execution.
2. Clear text MySQL password exposure through html text box under configuration panel.
3. Database backups exposed to local users due to open file permissions.
4. Unauthenticated remote access to backup files via easily guessable file names.
5. Authenticated remote file access.
6. MySQL password exposed to process table. 

The above vulnerabilities have been found in Xcloner and the suggested remedy for all Joomla 1.5+ sites is to upgrade the component. There is no upgrade for Joomla 1.0 so the only real way to resolve these vulnerabilities is to remove this component entirely.

Instead of using Joomla Cloner use the backup facilitiees found in a professional cpanel-like host.

  -oOo-   

JCE

The JCE Editor is a potentially vulnerable component depending upon the version you are running. Some of the earlier versions had a potential for unwanted file inclusion. The latest version for Joomla 1.0.15 is version 2.1.17 and it can be found here at Joomlacode.

 

END

Comments (3)Add comments
DoCTyPe wrote on May 23, 2016
 
Title: Just awesome!
Thank you for all the information on your website - it's great to read and check. Some of my clients website are still running 1.0.x because of several reasons. This site helps me check everything for security and fixes from time-to-time.

Superb!
report abuse
vote down
vote up

Votes: +0
Adam wrote on May 19, 2014
 
Title: Fantastic
Awesome list mate, thanks for putting in the time to help us all out =)
report abuse
vote down
vote up

Votes: +2
J2O wrote on May 03, 2013
 
Title: Big Thanks!
Just want to say a big thanks for writing this article, its really helped me secure my old J1.0 site!

Thanks again!
report abuse
vote down
vote up

Votes: +3

Write comment

busy
Last Updated ( Tuesday, 16 February 2016 )
 
< Prev   Next >

Cookies

By EU law we have to leave this message about cookies - In order to deliver a personalised, responsive service and to improve the site, it remembers and stores information about how you use it. This is done using simple text files called cookies which sit on your computer. These cookies are completely safe and secure and will never contain any sensitive information. They are used only by Lightquick or the trusted partners we work with ie. Google. By continuing to use this site you accept the use of these cookies. Remember all sites use these cookies but if you are unhappy with this cookie usage, then unfortunately we have to ask you to leave the site.

 

RSS feeds listed below - Select the format of feed that you require.

Britain & Scotland - Better Together

Steampunk Yahoo Widget

How about something special for the weekend sir?

Steampunk Stamp Widget

something special for the weekend sir Lightquick have a nice little Yahoo widget for you to download. Click on either image.

Do you need a stamp with that madam?

     

Steampunk Widget Downloads

Download the Regulator Clock XWidget here

Regulator Clock XWidget 1.0.0

Downloads: 184
Avg. Rating:
StarStarStarStarStar(0)

Download the Panzer Clock and Stopwatch Yahoo Widget here

Panzer Clock and Stopwatch Yahoo Widget 1.0.0

Downloads: 71
Avg. Rating:
StarStarStarStarStar(0)

Download the U-Boat Dual Time Clock Yahoo Widget here

U-Boat Dual Time Clock Yahoo Widget 1.0.3

Downloads: 153
Avg. Rating:
StarStarStarStarStar(0)

Download the Steampunk Weathered Clock Yahoo Widget here

Steampunk Weathered Clock Yahoo Widget 1.0

Downloads: 336
Avg. Rating:
StarStarStarStarStar(0)

Download the XWidget SDK and Engine for Windows here

XWidget SDK and Engine for Windows 1.9.3

Downloads: 376
Avg. Rating:
StarStarStarStarStar(0)

Download the Steampunk Thermionic Nixie Tube widget here

Steampunk Thermionic Nixie Tube widget 1.0

Downloads: 466
Avg. Rating:
StarStarStarStarStar(4)

Download the Steampunk Underwidget here

Steampunk Underwidget 0.3

Downloads: 1387
Avg. Rating:
StarStarStarStarStar(3)

Download the Steampunk Moon Phase Widget here

Steampunk Moon Phase Widget 0.9

Downloads: 1656
Avg. Rating:
StarStarStarStarStar(6)

Download the Widget Vault - A Steampunk Widget Appstore here

Widget Vault - A Steampunk Widget Appstore

Downloads: 1271
Avg. Rating:
StarStarStarStarStar(3)

Download the Steampunk Rotating Earth Widget here

Steampunk Rotating Earth Widget 1.0

Downloads: 2193
Avg. Rating:
StarStarStarStarStar(61)

Download the Steampunk Volume XWidget here

Steampunk Volume XWidget 1.0.4

Downloads: 1340
Avg. Rating:
StarStarStarStarStar(0)

Download the Steampunk Orrery Plasmoid Widget for Linux Ku... here

Steampunk Orrery Plasmoid Widget for Linux Ku...

Downloads: 872
Avg. Rating:
StarStarStarStarStar(5)

Download the Weird Steampunk Clock Yahoo Widget here

Weird Steampunk Clock Yahoo Widget 1.2

Downloads: 1829
Avg. Rating:
StarStarStarStarStar(3)

Download the Steampunk Orrery XWidget here

Steampunk Orrery XWidget 0.1

Downloads: 1238
Avg. Rating:
StarStarStarStarStar(2)

Download the Steampunk Orrery Rainmeter Skin here

Steampunk Orrery Rainmeter Skin 0.1

Downloads: 1429
Avg. Rating:
StarStarStarStarStar(6)

Download the Steampunk Resource Monitor Widget here

Steampunk Resource Monitor Widget ver 1.0.2

Downloads: 5032
Avg. Rating:
StarStarStarStarStar(45)

Download the Jupiter Planetary Desktop Widget here

Jupiter Planetary Desktop Widget 1.0.1

Downloads: 1295
Avg. Rating:
StarStarStarStarStar(5)

Download the Steampunk Clock Widget here

Steampunk Clock Widget ver 1.2

Downloads: 2360
Avg. Rating:
StarStarStarStarStar(16)

Download the Joomla Multi-Site Status Steampunk Yahoo Widg... here

Joomla Multi-Site Status Steampunk Yahoo Widg...

Downloads: 446
Avg. Rating:
StarStarStarStarStar(5)

Download the Yahoo Widget SDK and Runtime Engine for Windo... here

Yahoo Widget SDK and Runtime Engine for Windo...

Downloads: 3522
Avg. Rating:
StarStarStarStarStar(9)

Download the Steampunk Orrery Calendar Clock Yahoo Widget here

Steampunk Orrery Calendar Clock Yahoo Widget

Downloads: 7527
Avg. Rating:
StarStarStarStarStar(2)

Download the Steampunk Weather Widget here

Steampunk Weather Widget 1.0.8

Downloads: 52984
Avg. Rating:
StarStarStarStarStar(38)

Download the Cyberpunk Yahoo thermionic nixie tube valve w... here

Cyberpunk Yahoo thermionic nixie tube valve w...

Downloads: 5996
Avg. Rating:
StarStarStarStarStar(15)

Download the British Penny Red Stamp Widget here

British Penny Red Stamp Widget 1.0.1

Downloads: 668
Avg. Rating:
StarStarStarStarStar(0)

Download the Steampunk CPU / GPU temperature monitor Yahoo... here

Steampunk CPU / GPU temperature monitor Yahoo...

Downloads: 12981
Avg. Rating:
StarStarStarStarStar(26)

Download the Steampunk Clock Calendar Yahoo Widget here

Steampunk Clock Calendar Yahoo Widget 2.8

Downloads: 18403
Avg. Rating:
StarStarStarStarStar(62)

Join Design-Addicts!

:icondesign-addicts:
Come and join the best group on DevianArt !
Art and Design - the best of it.

Widget Assistance

If you require assistance regarding Widget or Desktop customisation then please contact lightquick here.

Contact me here

Navigation

Newsflashes
Sitemap

Site Last Modified

Site Last Modified:Friday 1 July 2016, 2:29

Administrator Login Form

Administrators click here.

Log In / Sign Up