making joomla insecure - explaining security by breaking it

Making Joomla! insecure

Sydney JUG 09/08/2011

Presented by Tim Plummer

www.tamlyncreative.com.au/software

Test scenario

• Joomla 1.5.23 with com_hello (Hello World)

component installed

• http://joomlacode.org/gf/download/frsreleas

e/8111/29436/com_hello4_01.zipe/8111/29436/com_hello4_01.zip

What version of Hello World are you

running?• http://localhost/sydjug/administrator/components/com_hello/install.xml

How to protect?

• Password protect administrator folder in

cpanel

How to password protect in cpanel?

1. Create user

2. Select user

3. Password protect this directory

So what web server & PHP version do

you use?

• Now lets look at http://localhost/sydjug/components/com_hello/models/

How to protect?

• Make sure every directory has an index.html

file (or have a rule in your .htaccess to protect

you)

Path disclosure

• So now let’s take a look at• http://localhost/sydjug/components/com_hello/views/hello/view.html.php

How to protect?

• Make sure every php file checks for _JEXEC

• <?php defined('_JEXEC') or die('Restricted access'); ?>

• <?php defined('_JEXEC') or die(‘'); ?>

SQL Injection

• Lets add some vulnerabilities to com_weblinks

• /components/com_weblinks/models/category.php

• Before After• Before After

• $id = JRequest::getVar('id', 0, '', 'int'); $id = JRequest::getVar('id');

• $this->setId((int)$id); $this->setId($id);

• WHERE catid = '. (int) $this->_id. ' WHERE catid = '. $this->_id.

• And delete return true; in _loadCategory()

• Now we have a vulnerable site to play with ☺

SQL injection

• http://localhost/sydjug/index.php?option=com_weblinks&vie

w=category&id=1+CENSORED_I’M_NOT_GOING_TO_SHOW_Y

OU_HOW_TO_DO_SQL_INJECTION

How to protect

• Never trust user input, always sanitize

variables, for example casting as int

• (int)$catid

LFI – Local File Inclusion

• Let’s add some vulnerable code to

/components/com_weblinks/weblinks.php

• This code is vulnerable to the local file include

vulnerability as the input is not sanatised.

LFI – Local File Inclusion

• http://localhost/sydjug/index.php?option=com_weblinks&controller=../../../tmp/test

• Look, I’m executing code that I shouldn’t be (I created a test.php file with phpinfo just to

demonstrate)

How to protect?

• Use getWord instead of getVar

• Check if file exists

• As you can see, by using the getWord function the controller variable will be sanitised and will filter out everything except for letters and underscores. Also the file_exists also helps to protect from remote file inclusion.

XSS - Cross-site scripting

• http://jeffchannell.com/Joomla/joomla-

jfilterinput-xss-bypass.html

Other security tips

• Always have a good regular backups (I

recommend Akeeba Backup)

• Never use default database prefix jos_ (use

Admin Tools Core from Akeeba to change) Admin Tools Core from Akeeba to change)

Other security tips

• Always keep up with current Joomla version

(use Admin Tools core to update)

• Never use 777 file permission (use Admin

Tools Core fix permissions)Tools Core fix permissions)

• Change super admin user id from default 62

(Use Admin Tools Core Super Administrator ID

to change) – also recommended to set user id

62’s group to registered and disable user.

Other security tips

• Get a decent .htaccess file• http://docs.joomla.org/Htaccess_examples_%28security%29

• Keep your extensions up to date (developers

often release security fixes)often release security fixes)

Other security tips

• Look at your website cpanel error logs/raw

access logs (they are interesting and

sometimes scary)

• 77.221.130.18 - - [09/Aug/2011:08:54:59 +1000] "GET

/index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-"

"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“

• 77.222.40.87 - - [09/Aug/2011:13:28:02 +1000] "GET

//index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613

"-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"

Other security tips

• Set error reporting to “none” in your global config

• Be careful what file extension types you allow in media manager

Other security tips

• Disable unused core extensions, this way in

future if a vulnerability is identified in say

com_banners, your site wont be at risk

Lessons

• Many extension development tutorials have

security vulnerabilities in them.

• It only takes one insecure extension to make

your site vulnerable.your site vulnerable.

• Security is an ongoing exercise, it’s not just

something you do when you initially set up

your site