Joomla is a
well-known, widely used open source CMS. According to their website, 2.7
percent of the Web is running on Joomla. Its small download size, easy
installation and easy to use interface make it a top choice for a fast development
of a website. If you also add the fact that it runs on a PHP/MySQL environment
and that it supports a wide variety of plugins, you can see why Joomla is so
appreciated.
I have recently
used Joomla for a website I was developing these past few months. I must say
that if you are thinking of using it for deploying a website fast and easily I would
recommend it. However, it is my personal opinion that to get a great look and
fell as well as to add some more complex functionalities you would need some
basic CSS/HTML/PHP knowledge. For more complex functionalities you will
actually need to go in the source code sometimes which entails a good if not excellent
understanding of PHP. The good part is that, being open source, there is a
detailed documentation as well as a large community which can help you if you
run into any problems.
While I was
working on the website I discovered a very interesting bug which turned out to
be a very big security flaw. Note that this applies if you have more than one
user with admin privileges or which can access the global configuration
component in the administrator backend.
The Joomla installation I was working
on was installed by somebody else within my organization. As such I was allowed
admin access so I can develop the website. When I went to the Global Configuration page I noticed that Firefox kept asking me to save my password. I
initially refused it as I do not allow any browser to save any of my passwords
(hence why I use KeePass). After some
time I started to wonder why would this component asking me to save a password
(since I did not enter any) so using Firebug I searched through the DOM. I
found the following DOM element used to store the password for the SMTP server
of the super-admin. And sure enough the password was stored as plain text in
the value attribute of the DOM element.
Now let’s do some basic logic: how
many of you use a different password for the SMTP, IMAP/POP3 and webmail
interfaces? Probably very few. So using this system I managed to have complete
access to super-admin’s mail application. Using these credentials I actually
got access to the entire system used by our organization. Of course I did not
really accessed it; rather I sent the super-admin a message to tell him of what I found.
Anyways
super-admins take care. Even if you have different passwords another admin can
still get access to your SMTP account which means he can send spam using your
credentials. The only solution that I see (other than an update by Joomla) is
to restrict access to the Global Configuration Component to only super-admin.
No comments:
Post a Comment