Joomla is a popular Content Management System (CMS), used to manage websites. Having over 2.3 million websites live at time of press, this makes it the second most popular CMS platform with around 5% market share, second only to WordPress with a whopping 27 million live sites and 35% market share. (Read more about AppCheck and WordPress here).
Joomla is free and open source, which means users can download a range of plug-ins to use alongside their website.
Joomla is ranked 3rd place in 2018’s most hacked websites according to a recent report.
Below are some common vulnerabilities found in Joomla that you should be looking out for in your Joomla website.
Did you think you’d read a list about common vulnerabilities and not see the OWASP Top 10 number 1 on the list?
Many injection vulnerabilities have been reported in Joomla, and definitely too many to name here.
All we will say is, be especially vigilant, make sure your data is safe and validate all user input.
Another one from the OWASP Top 10 List and one many are familiar with. Often thought of as targeting users rather than an application itself (although some more complicated attacks can target consumer and non-browser systems – think Electron).
Again, too many prior vulnerabilities and ways to exploit a Joomla website using XSS vulnerabilities to mention in this overview post but have a look at our post on a historical Joomla security flaw for some ideas on how hackers can exploit websites with his technique.
Attackers exploiting your website in this way may be able to bypass the usual account restrictions and boost their account permissions to perform actions that would normally be restricted to them. Yes, this may include admin actions such as updating other users and even changing passwords. This can be triggered by numerous things, even SQL Injection can lead to privilege escalation.
Simple ways to help prevent this include keeping privileged log-ins very restricted and keeping permissions restricted.
Ask yourself, do processes need that level of permissions to run? Enable two-factor authentication and keep systems up to date.
Misconfiguration happens. Production environments don’t always match UAT and live and can allow for differences. If you are following guides to get things live they don’t always go into full depth around the security controls/concerns.
If you have a vulnerability scanner, make sure to scan in production.
Ensure your configurations are production suitable. Consider using deployment tools such as Salt, Fabric or Puppets to deploy your applications and manage your environments. This ensures a consistent install based upon a known playbook and allows you to better track configurations.
In 2018 a report found that around 87.5% of Joomla websites were not updated with the most recent recommended version at the point of infection.
This can be quite an easy one to manage and can save a lot of headaches. If your website is externally managed don’t be afraid to check with your web developers that the latest version is deployed, and all plug-ins are up to date.
As above – get into the habit of maintaining applications with deployment tools.
Downloading off-the-shelf themes and plug-ins is massively handy and time saving but could lead to more trouble than they are worth. Once these stop getting updated, plug-ins can become vulnerable fast.
When looking at installing add-ons created by others, beyond it being popular, make sure to research if there have been prior security alerts and if the tool is being actively maintained.
The above list is by no means exhaustive and represents just a handful of potential ways your Joomla website can be exploited. If there were no surprises above and you feel on top of vulnerability management then at least this article has hopefully provided peace of mind so far. Either way, if you would like a free vulnerability scan of your Joomla website then please get in touch.
See how AppCheck helps identify vulnerabilities in Joomla websites below.
Although AppCheck is platform agnostic, the product includes a range of scan templates to target specific CMS platforms and their known vulnerabilities. Below are a few features of the AppCheck vulnerability scanner to help you identify vulnerabilities within your Joomla website:
Of course, AppCheck scans for thousands of known vulnerabilities and the full version of the test is included in each licence, with unlimited users and unlimited back to back scans helping to ensure vulnerabilities are identified and you can start working on fixes to resolve asap.
Read more on AppCheck’s approach to vulnerability testing here: http://appcheck-ng.com/our-approach/
As always, if you require any more information on this topic or want to see how AppCheck can help find your Joomla vulnerabilities then please get in contact with us: info@localhost
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)