GPG Key Expired and Replaced
It appears that while I was on holiday in New York my GPG Encryption key expired meaning that all attempts to submit site details securely using our online forms failed! If you have tried to use the following form in the last 4 days then you need to resubmit your details as they were not stored or (encrypted and) transmitted.
http://secure.phil-taylor.com/support
I have now revoked and replaced the keys used for this process (I understand many of you will have no idea what I’m talking about – dont worry 
)
If you need to email me directly then you need to refresh my public key – there is a new copy on all major keyservers and here
Is your Joomla Administrator Console secure?
Obviously the first stage in securing your web site is to ensure that you are using a strong password. Ideally this should be a mixture of both upper and lower case characters and include a few numbers for good measure, not forgetting not to make it a real word.
Those naughty hackers aren’t stupid and are well aware that people may use the number 3 to replace the letter e in a password. It’s also extremely important that you don’t use the same password on multiple sites, you only need one of those sites to be hacked for all your sites to be vulnerable. See this blog entry for a typo3 horror story.
Unfortunately people are lazy and often re-use passwords or chose ones that appear strong to them but are in fact pretty weak and vulnerable to brute force attacks, and this is where the problem currently lies in Joomla.
Every Joomla site creates a super-administrator user by default with exactly the same name – “admin”. As you can see from the screenshot there is no option to rename this super-administrator account during the installation.
So what does this mean? For a hacker it’s a dream scenario as without doing anything you have given them 50% of the credentials they need to break into your site and do as they wish with all your precious work.
In the long term the solution is for Joomla itself to be updated to allow you to chose the default super-administrator username as well as the password. There are however several steps you can undertake right now.
As soon as you have installed Joomla and logged in for the first time go to the user-manager and create a brand new super-administrator with a strong password. Then log out and re-login with the newly created account and go back to the user-manager and demote the “admin” user to manager level, apply your changes and then delete the “admin” user.
(You have to do it this way as Joomla does not allow you to delete a super-administrator.)
If you’re wondering why I didn’t suggest just changing the username of the “admin” user rather than creating a new one that’s because the “admin” user always has the same userid of “62″ which potentially is another piece of useful information for a hacker or script-kiddie.
If you are at all worried about your Sites Security, or would like us to provide you with a security consultancy service then please get in touch!
How to check Joomla! download file for hacking
It has come to our attention that there is a site on the internet that is distributing Joomla’s full version zip files that are modified to add code to allow a hacker to break into your site.
This post is subtitled “How to check your downloaded Zip file is genuine and unmodified“.
Rule number #1: ONLY EVER download from a TRUSTED SOURCE (This is the joomlacode.org site) unless absolutely necessary.
Rule number #2: Check that your downloaded file is unmodified by checking the md5 sum of the file.
The md5 what?
Well check out this page (Click the files tab):
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseView&release_id=8897
You will see the main download Joomla_1.5.8-Stable-Full_Package.zip has a md5 of 36b9c161b46bf973a96201135e933219
We can check this md5 hash in several ways, for example on linux we can type
md5sum Joomla_1.5.8-Stable-Full_Package.zip
which will give us:
36b9c161b46bf973a96201135e933219 Joomla_1.5.8-Stable-Full_Package.zip
We can then compare that output with the md5 hash on the above web page – if they are different, even by only one char, then the zip file you have downloaded has been modified in some way – however little – DO NOT USE it if the md5hash does not match EXACTLY.
There are more secure ways of “signing” package files, with GPG Encryption/Signatures, but the Joomla Project Team are behind the times with GPG and have not yet taken advantage of the same system that linux package maintainers use – GnuPG.
There are many other ways to compare md5 hashs – and some windows applications as well
Joomla 1.5.1 Released – Important Security release
The Joomla Core team have today released Joomla 1.5.1 to specifically address a security issue,
The official announcement was:
The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.1 [Seenu]. Since the stable release of Joomla! 1.5 we have seen huge numbers of downloads which has helped to push the total number of downloads to over 3 million in less than a year.
We have found in one of the new features of Joomla! 1.5, an XML-RPC Blogger API plugin, a high priority security vulnerability. While this feature is disabled by default on every Joomla! 1.5 install and would have to be manually enabled for the vulnerability to exist, we strongly recommend that all Joomla! 1.5 users upgrade to Joomla! 1.5.1.
Thanks to the work done by both the Joomla! Bug Squad as well as the Development Team , not only has this vulnerability been patched but so have several other smaller issues.
Security Announcement for Joomla 1.5.0
The core developers of Joomla! have just released a statement about a security exploit in Joomla 1.5.0
After releasing Joomla! 1.5 stable we have discovered a high priority security issue. The vulnerability has been discovered in XML-RPC in combination with the blogger API. There is a security problem in this code that makes it possible to alter the articles on your site (including removal). This problems has been fixed currently by members of the development team and the Joomla! bug squad, solution is now available from Subversion. So what do you need to do until we release Joomla! 1.5.1? All Joomla! users who have enabled the XML-RPC Blogger API plugin should disable it! If you have never enabled this plugin you do not need to do anything.
This comes hot on the tail of an xml-rpc issue in wordpress also !
Using Prism To Administrate Joomla Safer
A lot of talk has gone on recently regarding CSRF and Joomla 1.0.13/1.5. CSRF is a problem for all web based applications and the upcoming Joomla 1.0.14 and Joomla 1.5 stable have both been hardened against such security vulnerabilities. Hardened, not made secure, as it is practically impossible to secure against each and every CSRF there is without interrupting workflow. Joomla, as do most other webapps, has made it as difficult as possible to use CSRF to hack a Joomla site.
The advice issued by ourselves recently is still just as valid now as it will be when Joomla 1.0.14/1.5 are released – Please follow these rules:
– ALWAYS click LOGOUT in Joomla Admin when you finish
- NEVER browse other websites while logged in to Joomla Admin
- If you allow users to upload/modify your site through any third party component then don’t browse/or limit your surfing of your own site while logged in to Joomla Admin
- NEVER click on links to “Upgrade this component” in 3rd Party Components
- NEVER browse forums while logged into Joomla Admin
However, there is always a better, more secure option,
Introducing PRISM
Prism (formerly, Webrunner) is a prototype application that lets users split web applications out of their browser and run them directly on their desktop. What this really means in non-techie speak is that you can launch a scaled down web browser in its own process and use that to administrator your Joomla Site. Prism is a scaled down Firefox web browser that is designed for web applications – so already its more secure as its not Internet Explorer based 
We have been highly active in using webrunner/prism since the first release – and we are addicted.
Learn More
Get Prism
Once you have prism installed, simply double click its icon and you will be prompted to give a URL and NAME (and a few optional options).
For the URL set this as your admin console – like http://www.mysite.com/administrator/
and the NAME set to “Administrator for mySite” – also check the desktop shortcut icon.
Then you will be promptly shown your admin page – you can now login securely and continue administrating your Joomla site in Prism and NOT IN YOUR REGULAR BROWSER – this creates separation between your normal surfing and your Joomla Administrator.
By doing this you 100% protect yourself from the CSRF vulnerability reported in Joomla and other web apps – once you get addicted (as are we) to Prism you will never use your browser for web applications again!!!
Hope you like the tip!
Joomla 1.0.13 contains a CSRF vulnerbility
We write this blog post with sadness. On the 4th December 2007 a nice white hat hacker notified the Joomla Core Development team of a CSRF Vulnerability in Joomla 1.0.13 and Joomla 1.5 RC3.There have been many reports of these vulnerabilities around the web since then.
The nature of the vulnerability means that your site cannot be hacked while you sleep (like many of the other types of 3rd party component issues), but requires you (the sites Super Admin) to be logged into Joomla Admin while at the same time surfing sites (maybe even your own) that contain links to [THINGS] that send [NAUGHTY] requests back to your Joomla Admin Console without you knowing. This can lead to complete disaster and even complete server compromise.
The Joomla Developers took only 4 days to fix this in Joomla 1.5 SVN and then shortly after released Joomla 1.5 RC4 stating they had fixed this category A5 Security [High] Vulnerability.
To date, no changes and no attempts by the core development team have been made to the Joomla 1.0.13+ SVN tree to fix this vulnerability in Joomla 1.0.13 Update: Changes are now in SVN for the next version of Joomla 1.0.x – about time!
In an effort to assist them we spent a few hours and backported code from Joomla 1.5 RC4 to Joomla 1.0.13 and made all the changes required to fix Joomla 1.0.13 and make it secure from this type of vulnerability.
Details of this can be found in the following forum thread:
http://forum.joomla.org/index.php/topic,248109.msg1136076.html#msg1136076
I personally emailed all three lead developers with the same information as I published there, including providing the diff/patch files to Joomla 1.0.13. I have been assured that once Joomla 1.5 stable is released time will be spent on fixing this issue in Joomla 1.0.13 (I object to this – why take 4 days to fix unreleased software and over 4 weeks to fix software running on millions of sites already?!?)
Here is my professional advice to help you stay safe from the known and publish vulnerability until the next version of Joomla 1.0.x is released.
The number one bit of advice I can give all site admins at the moment is to – LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet in other tabs/browser windows while administrating your Joomla site, and if you allow users to modify your site’s frontend, be careful not to surf your frontend as well while logged in.
Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources, if these components choose they can use this vulnerability to do[BAD] things…
[Already Fixed] mosDirectory 2.3.2 Module Issue
There are reports circulating this Christmas Eve that the modules provided by mosDirectory v2.3.2 are vulnerable to a remote file inclusion.
Having reviewed the code I can confirm that, under the right circumstances, this can happen with all versions up until mosDirectory v2.3.7.
The modules provided by mosDirectory are all community/customer developed and submitted and added into mosDirectory by request. It appears that our quality control missed this single line of code – and for this we are very sorry – the code in this file has not changed for almost two years and has never been flagged as an issue before, we now have automated nightly builds that check for this kind of security issue.
There are no reported cases of a Joomla site being hacked through mosDirectory
There are no reported cases of a Joomla site being hacked through this vulnerability in the module.
The vulnerability in a module – not in the main mosDirectory component
If you are using the htaccess file provided by Joomla then you are not vulnerable – however all customers should upgrade to the latest mosDirectory v2.4.0 as soon as possible to ensure that you are full protected.
The latest version of mosDirectory v2.4.0 can be downloaded by logging into your account at http://secure.myjoomla.com/
Full details of patching your site have been emailed to every customer. If you missed this email then please contact us at phil@phil-taylor.com ASAP
Fasthosts Hosting Company – Internal Systems Hacked
For many years I hace steered people away from the Fasthosts web hosting company. They are based in Gloucester, UK, my home town and the local word on the street has always be negative towards them.
I was not surprised that one of my customers who has an old fasthosts account received the following email from them this week – stating that their internal systems had been hacked!
| We are writing to inform you that we have recently discovered evidence of a network intrusion involving a Fasthosts server. We have reason to believe that the intruder has gained access to our internal systems, and that this may have in turn given them access to your username and some service passwords.We have since closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again.
We therefore recommend, as a precaution, that you now change the following passwords on your account:
These can all be changed within your control panel. Further details on how to change your passwords can also be found in the support section of our website. We strongly recommend that you choose secure passwords so that they cannot easily be guessed. These passwords should include the following:
We recognise that this may cause some inconvenience and concern, and for that we sincerely apologise. Please be assured that your account security is extremely important to us, and we have taken every step possible to secure your information against any future intrusion attempts. If you have any questions relating to this, please contact our Customer Support team on 0870 888 3600 or customersupport@fasthosts.co.uk who will be happy to help you. |
|
| Yours sincerely,
The Fasthosts Internet team |
Simply amazing! – There is nothing about this on their website – I guess they want to keep it on the low!
Joomla 1.0.13 New Password Hashing Method Means NO Compatibilty
Ever since the conception of Mambo/Joomla the passwords for admins and users have been converted into a md5 hash string and stored to the database.
In Joomla 1.0.13 (About time too!) this has changed. The password is now “salted” and then md5 hashed with the salt, the salt and the password are both stored in the database.
This means that Joomla 1.0.13 breaks backwards compatibility with itself (you can’t downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and Forum bridges!!
Basically any 3rd Party Component that reads/writes/validates the password of an admin or user will now FAIL in Joomla 1.0.13 unless it is updated to know about the new changes.
The salting of passwords is a good security step – we praise the core team for doing it – HOWEVER no announcement has been made about this, no blog post has been made and users are now in the dark – remember, this means you can NEVER DOWNGRADE your site if you have problems so make sure you MAKE A BACKUP before upgrading to Joomla 1.0.13 – you have now been warned!