Security issue with Joomla 1.6

Joomla is a well-known, widely used open source CMS. According to their website, 2.7 percent of the Web is running on Joomla. Its small download size, easy installation and easy to use interface make it a top choice for a fast development of a website. If you also add the fact that it runs on a PHP/MySQL environment and that it supports a wide variety of plugins, you can see why Joomla is so appreciated.

I have recently used Joomla for a website I was developing these past few months. I must say that if you are thinking of using it for deploying a website fast and easily I would recommend it. However, it is my personal opinion that to get a great look and fell as well as to add some more complex functionalities you would need some basic CSS/HTML/PHP knowledge. For more complex functionalities you will actually need to go in the source code sometimes which entails a good if not excellent understanding of PHP. The good part is that, being open source, there is a detailed documentation as well as a large community which can help you if you run into any problems.

While I was working on the website I discovered a very interesting bug which turned out to be a very big security flaw. Note that this applies if you have more than one user with admin privileges or which can access the global configuration component in the administrator backend. 

The Joomla installation I was working on was installed by somebody else within my organization. As such I was allowed admin access so I can develop the website. When I went to the Global Configuration page I noticed that Firefox kept asking me to save my password. I initially refused it as I do not allow any browser to save any of my passwords (hence why I use KeePass).  After some time I started to wonder why would this component asking me to save a password (since I did not enter any) so using Firebug I searched through the DOM. I found the following DOM element used to store the password for the SMTP server of the super-admin. And sure enough the password was stored as plain text in the value attribute of the DOM element. 

Now let’s do some basic logic: how many of you use a different password for the SMTP, IMAP/POP3 and webmail interfaces? Probably very few. So using this system I managed to have complete access to super-admin’s mail application. Using these credentials I actually got access to the entire system used by our organization. Of course I did not really accessed it; rather I sent the super-admin a message to tell him of what I found.

Anyways super-admins take care. Even if you have different passwords another admin can still get access to your SMTP account which means he can send spam using your credentials. The only solution that I see (other than an update by Joomla) is to restrict access to the Global Configuration Component to only super-admin.