This document summarizes a presentation about making Joomla insecure and how to protect against common vulnerabilities. It demonstrates how to introduce vulnerabilities like SQL injection, local file inclusion, and cross-site scripting. It then provides tips to secure a Joomla site, such as sanitizing user input, updating to the latest version, using strong passwords, checking for file existence, and more. The goal is to make attendees aware of potential risks and how to properly secure a Joomla website.

1. Making Joomla! insecure
Sydney JUG 09/08/2011
Presented by Tim Plummer
www.tamlyncreative.com.au/software

2. Test scenario
• Joomla 1.5.23 with com_hello (Hello World)
component installed
• http://joomlacode.org/gf/download/frsreleas
e/8111/29436/com_hello4_01.zip

3. What version of Hello World are you
running?
• http://localhost/sydjug/administrator/components/com_hello/install.xml

4. How to protect?
• Password protect administrator folder in
cpanel

5. How to password protect in cpanel?
1. Create user
2. Select user
3. Password protect this directory

7. So what web server & PHP version do
you use?
• Now lets look at
http://localhost/sydjug/components/com_hello/models/

8. How to protect?
• Make sure every directory has an index.html
file (or have a rule in your .htaccess to protect
you)

9. Path disclosure
• So now let’s take a look at
• http://localhost/sydjug/components/com_hello/views/hello/view.html.php

10. How to protect?
• Make sure every php file checks for _JEXEC
• <?php defined('_JEXEC') or die('Restricted
access'); ?>
• <?php defined('_JEXEC') or die(‘'); ?>

11. SQL Injection
• Lets add some vulnerabilities to com_weblinks
• /components/com_weblinks/models/category.php
• Before After
• $id = JRequest::getVar('id', 0, '', 'int'); $id = JRequest::getVar('id');
• $this->setId((int)$id); $this->setId($id);
• WHERE catid = '. (int) $this->_id. ' WHERE catid = '. $this->_id.
• And delete return true; in _loadCategory()
• Now we have a vulnerable site to play with ☺

12. SQL injection
• http://localhost/sydjug/index.php?option=com_weblinks&vie
w=category&id=1+CENSORED_I’M_NOT_GOING_TO_SHOW_Y
OU_HOW_TO_DO_SQL_INJECTION

13. How to protect
• Never trust user input, always sanitize
variables, for example casting as int
• (int)$catid

14. LFI – Local File Inclusion
• Let’s add some vulnerable code to
/components/com_weblinks/weblinks.php
• This code is vulnerable to the local file include
vulnerability as the input is not sanatised.

15. LFI – Local File Inclusion
• http://localhost/sydjug/index.php?option=com_weblinks&controller=../../../tmp/test
• Look, I’m executing code that I shouldn’t be (I created a test.php file with phpinfo just to
demonstrate)

16. How to protect?
• Use getWord instead of getVar
• Check if file exists
• As you can see, by using the getWord function
the controller variable will be sanitised and will
filter out everything except for letters and
underscores. Also the file_exists also helps to
protect from remote file inclusion.

18. XSS - Cross-site scripting
• http://jeffchannell.com/Joomla/joomla-
jfilterinput-xss-bypass.html

19. Other security tips
• Always have a good regular backups (I
recommend Akeeba Backup)
• Never use default database prefix jos_ (use
Admin Tools Core from Akeeba to change)

20. Other security tips
• Always keep up with current Joomla version
(use Admin Tools core to update)
• Never use 777 file permission (use Admin
Tools Core fix permissions)
• Change super admin user id from default 62
(Use Admin Tools Core Super Administrator ID
to change) – also recommended to set user id
62’s group to registered and disable user.

21. Other security tips
• Get a decent .htaccess file
• http://docs.joomla.org/Htaccess_examples_%28security%29
• Keep your extensions up to date (developers
often release security fixes)

22. Other security tips
• Look at your website cpanel error logs/raw
access logs (they are interesting and
sometimes scary)
• 77.221.130.18 - - [09/Aug/2011:08:54:59 +1000] "GET
/index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“
• 77.222.40.87 - - [09/Aug/2011:13:28:02 +1000] "GET
//index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613
"-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"

23. Other security tips
• Set error reporting to “none” in your global
config
• Be careful what file extension types you allow in
media manager

24. Other security tips
• Disable unused core extensions, this way in
future if a vulnerability is identified in say
com_banners, your site wont be at risk

25. Lessons
• Many extension development tutorials have
security vulnerabilities in them.
• It only takes one insecure extension to make
your site vulnerable.
• Security is an ongoing exercise, it’s not just
something you do when you initially set up
your site