Joomla Security and Vulnerability Scanning
Thanks to recent advances in content management systems (CMS) and content management frameworks (CMF), blogs and websites have become the perfect platform for publishing online content that can be tailored to any target audience. It is very clear that almost anyone can create a blog for any purpose by using a free or paid content management system. However, maintaining security on a blog is not an easy job because hackers generally have a wider breadth of knowledge than the average lay blogger or website owner. Security of a blog is very important because it reflects the quality of your business, message, or content. So a hacker can attack your site and then use the data gathered for malicious purposes, which then degrades the value of your site. There are various techniques used for hacking into a website, and OWASP (Open Web Application Security Project) has categorized the most dangerous methods and vulnerabilities. However, there are different ways to implement the preventative techniques on different platforms, and in this article I will discuss security on a Joomla platform, or how to secure a Joomla website.
Joomla is an open source and free content management framework which is very easy to install and use. As a result, there are numerous bloggers and website owners out there who use Joomla to publish their content. So what are the best ways to secure a Joomla website/blog? There are several steps involved in securing a website based on Joomla, and in this article, I will discuss the vulnerability of scanning techniques for Joomla, how to fix the vulnerabilities, how to implement the best security for Joomla.
Joomla Security Audit & Vulnerability Scanning
Security audits and vulnerability scans are the first step in determining how secure a web application may be. The result of the security audit and vulnerability scans provides information about the current security status of the website/blog. There are different tools available for auditing the security of a Joomla website, and these tools are specifically design to audit the security of a Joomla webpage. , We can use a general website vulnerability scanning tool to conduct an audit, but ultimately a combination of both types of audit tools will increase the chances of success.
OWASP Joomla Vulnerability Scanner:
Groomsman is a wonderful perl script used to audit the security of a Joomla website, and the tool is from the OWASP Joomla security project. The tool has some interesting features:
It can detect the version of Joomla
It can discover the known vulnerabilities of Joomla
It can detect a firewall and the anti-scanning barriers
It can fingerprint the components of Joomla
The quick scanning example is as follows:
root@bt:~/Desktop/joomla# perl joomscan.pl -u http://127.0.0.1/Joomla
=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================
Target: http://127.0.0.1/Joomla
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
## Checking if the target has deployed an Anti-Scanner measure
[!] Scanning Passed ….. OK
## Detecting Joomla! based Firewall …
[!] No known firewall detected!
## Fingerprinting in progress …
~Generic version family ……. [1.5.x]
~1.5.x en-GB.ini revealed [1.5.12 – 1.5.14]
* Deduced version range is : [1.5.12 – 1.5.14]
## Fingerprinting done.
## 7 Components Found in front page ##
com_content com_newsfeeds
com_weblinks com_user com_mailto
com_banners com_poll
Vulnerabilities Discovered
==========================
# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes
#39
Info -> Component: Joomla Component com_djartgallery Multiple Vulnerabilities
Versions Affected: 0.9.1 <=
Check: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Exploit: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Vulnerable? N/A
There are 6 vulnerable points in 39 found entries!
~[*] Time Taken: 32 sec
~[*] Send bugs, suggestions, contributions to joomscan@yehg.net
Looking at the above scan result, we can say that the target does not have any anti-scanner tools or firewalls, and the Joomscan has successfully discovered the version, server software, components, and known vulnerabilities of the site.
CMS Explorer
CMS Explorer has been designed to explore a content management system by detecting the module, plugins, and components of the CMS. CMS Explorer can be used as a vulnerability scanner tool because it provides an option to search the OSVDB (Open Source Vulnerability Database) to find any known vulnerabilities on the CMS. Additionally, CMS Explorer is capable of scanning multiple content management systems (including Joomla) while keeping the requirements for use very simple; all you need to have is the CMS Explorer script and the OSVDB API key.
The procedure to get the OSVDB key listed below:
Go to the OSVDB website and create an account.
Activate your account via email link, and then login to your account.
Go to the OSVDB API page and get your API key.
Locate the directory where you have saved CMS Explorer before, and then create a blank file. Name this file “osvdb.key”.
Put your API key on osvdb.key, and then save it.
CMS Explorer is now ready to scan the website, and since the tool has multiple features it can examine the theme, plugins, and components. The simple scan below has been directed to only explore a specified target:
root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://127.0.0.1/Joomla -explore -type joomla
*******************************************************
Beginning run against http://127.0.0.1/Joomla/…
Testing themes from joomla_themes.txt…
Theme Installed: templates/beez/
Theme Installed: templates/ja_purity/
Theme Installed: templates/rhuk_milkyway/
Theme Installed: templates/system/
Testing plugins…
Plugin Installed: components/com_banners/
Plugin Installed: components/com_contact/
Plugin Installed: components/com_content/
*******************************************************
Requesting files…
*******************************************************
Summary:
Theme Installed: templates/beez/
URL http://127.0.0.1/Joomla/templates/beez/
Theme Installed: templates/ja_purity/
Since it is not our objective to find the components and theme of the target, we can tailor our scan to focus on the vulnerabilities of the target. To accomplish this task we need to use the OSVDB key.
root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://127.0.0.1/Joomla -type joomla -osvdb
Summary:
Theme Installed: templates/beez/
URL http://127.0.0.1/Joomla/templates/beez/
Theme Installed: templates/ja_purity/
URL http://127.0.0.1/Joomla/templates/ja_purity/
http://osvdb.org/54870 Joomla! JA_Purity Module ja_templatetools.php Multiple Parameter XSS
Theme Installed: templates/rhuk_milkyway/
URL http://127.0.0.1/Joomla/templates/rhuk_milkyway/
Theme Installed: templates/system/
URL http://127.0.0.1/Joomla/templates/system/
http://osvdb.org/22116 TinyMCE Compressor tiny_mce_gzip.php Traversal Arbitrary File Access
http://osvdb.org/22117 TinyMCE Compressor Editor Imported Content XSS
http://osvdb.org/23816 Joomla! Poll System mosmsg Variable Malformed HTML Tag DoS
http://osvdb.org/50906 Volunteer Management System Component for Joomla index.php job_id Parameter SQL Injection
http://osvdb.org/50947 Hotel Booking System Component for Joomla index.php Multiple
Look at the picture above and note the many vulnerabilities that the scanner has discovered on the target.By performing a security audit we were able to identify security status of our Joomla website. Now the question arises: What are the best possible ways for securing our Joomla website? This issue is discussed in the second section of this article (below).
Secure Joomla Installation
The very first step to creating a secure website/blog based on Joomla is to choose the right platform (web server) and to follow the proper methods for installation. If you have a budget and you really want an extra layer of security, then a shared-hosting platform is not a good idea because with shared-hosting many websites share the same server. This creates a security risk. So if you can afford it, go for a dedicated server and a virtual private server (VPS). When choosing the hosting company, make sure to read some customer reviews because the reputation of the company will give an idea of their effectiveness. Make sure that your hosting company is up to date, and that they are using the most updated software for their web server.
The next step is to get Joomla and to install Joomla on the web server. Different web hosting companies and forums provide a script that allows you to just click and install the famous content management system. This is the easiest technique for installing Joomla, but it is not recommended from a security point of view. The best practice is to download Joomla from the official website (do not download it from any other website), and then upload it on the web server via an FTP link. Create MySQL database for the Joomla installation and make sure to choose a strong password for the database. Then locate the installation directory of Joomla. The installation process for Joomla is very simple—just follow the procedure. But to create a secure Joomla website, you need to be careful about these points:
Never use the default administrator name, which is admin.
Never use the default table prefix of Joomla, which is jos_
Do not forget to delete the installation directory of Joomla after successful installation.
Always protect the important files and directories. For example, the administrator panel of Joomla and the configuration.php file contain vital information about the database.
Use the htaccess file and some good extensions to increase the security.
Security of Joomla Website by Htaccess
Htaccess is a configuration file from web servers that run Apache as their server software. It is a very powerful configuration file which can control the server. Htaccess is a hidden file which should be already present in the root directory of your server. If it’s not, then you can create it, but make sure that the right name of the file is “.htaccess” (yes, it starts with a dot). Since we can do so many things with the help of .htaccess, in this section I will discuss the security aspect of an .htaccess file for Joomla.
You can protect the administrative area using different techniques. For example, you can restrict it based on the IP address (in this case you’d need to create an .htaccess file on the administrator directory):
order deny,allow
allow from 116.71.18.189
deny from all
Remember, if your ISP is using the dynamic IP technique, then it is not a good idea to use this technique since your IP address might change at any given time. To prevent use of the directory listing (because an attacker may read important files off the server and a directory listening always help a hacker learn about the security practices of a website), you can write the code below into the .htaccess file which is present in your root:
IndexIgnore *
Options -Indexes
Another best practice is to disable the server signature because it gives an idea about the web server software and the version of the software. To do this, add this line in the .htaccess file to disable the server signature:
ServerSignature Off
Another important step is to secure the .htaccess file itself so that nobody can read it on the browser. To do this, you need to add these lines on the .htaccess file:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Configuration.php is a very important file because it contains information about the database of the website and other relevant information. So you need to secure the configuration.php file by utilizing the .htaccess file:
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Since there are various security risks associated with the configuration.php file, it is not enough to simply make the adjustments above. For maximum security, you need to move configuration.php outside the public_html. But how to do this? If you simply move the configuration.php file then your website might crash.
How to Move the Configuration.php Outside the public_html Joomla
Below is a tutorial that has been tested on Joomla 1.5 to move the configuration.php file outside the public_html.
In the first step, you need to create a directory home (outside the public_html). Suppose the directory name is irfan:
Download and make a backup of configuration.php.
Delete the current configuration.php from the Joomla folder (from public_html). Remember, when you delete it your website might crash and the error will read:
Go on the folder that has been created in the first step.
Upload the configuration.php in that file.
Go the Joomla file (includes/defines.php) and replace the line: define(‘JPATH_CONFIGURATION’,JPATH_ROOT); with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../rootfoldername’);. If Joomla is in subdirectory, then replace it with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../../’.DS.’rootfoldername’); (it is a case sensitive so be sure to use proper caps).
Remember, the rootfoldername is the name of the folder that we have created in the first step (which is irfan in this case study).
Repeat the same step for: administrator/includes/defines.php.
Now the website is ready and secure.
Conclusion
Since the Internet is not a very safe place, you need to take a personal interest in the security of your website. So if you’re using the Joomla platform, be sure to implement the best security practices available, if you want to remain secure.