I suggest that by default, joomla should not allow the user to change the template. This should be an option to turn on.

2 key reasons:

1) Many people choose to implement features in their template based on if ( $my->id )  etc

If a visitor simply accesses the site with e.g. index.php?jos_change_template=rhuk_solarflare_ii in the url

They will bypass the security implemented in the template.

Mostly people use it for simple things like hiding / showing a welcome message etc. but some may have implemented more significant access control via the template.

2) A malicious user could leave links around the net to someone's joomla site with e.g. jos_change_template=madeyourweb etc

They could do this deliberately to create google links to a person's site with the layout completely messed up, giving the impression of a poor site / unusable site  ( the intended site may use completely different module positions to those in the other templates )


I know that the joomla admin can delete all other templates but I do not think that most joomla admins would think to do this.

I have seen hoards of posts suggesting the use of  if ( $my->id )  etc but never once seen anyone warning that you can overide any such measure a simply as jos_change_template=rhuk_solarflare_ii in the url

I guess this is the same issue as unpublished components that could be accessed if you knew the url. I hadnt considered the security aspects of this with templates but you do make valid points

Looks good though..

I agree, it's the same as passing mosmsg via url.. can spoof sites and show things not inteded to be shown..

A couple of key security measures to note are:

Never put logic into templates (this is a real no-no)
Uninstall unused templates, modules, mambots and components

These are really quite important in maintaining a tight ship and would solve the points you mention.

toubkal wrote:I suggest that by default, joomla should not allow the user to change the template. This should be an option to turn on.

2 key reasons:

1) Many people choose to implement features in their template based on if ( $my->id )  etc

If a visitor simply accesses the site with e.g. index.php?jos_change_template=rhuk_solarflare_ii in the url

They will bypass the security implemented in the template.


Mostly people use it for simple things like hiding / showing a welcome message etc. but some may have implemented more significant access control via the template.

2) A malicious user could leave links around the net to someone's joomla site with e.g. jos_change_template=madeyourweb etc

They could do this deliberately to create google links to a person's site with the layout completely messed up, giving the impression of a poor site / unusable site  ( the intended site may use completely different module positions to those in the other templates )


I know that the joomla admin can delete all other templates but I do not think that most joomla admins would think to do this.

I have seen hoards of posts suggesting the use of  if ( $my->id )  etc but never once seen anyone warning that you can overide any such measure a simply as jos_change_template=rhuk_solarflare_ii in the url

This should be a stickied post as it highlights the key part of security - conception. Simply not conceiving of a bad possibility!

I wouldn't doubt that a bad Google link could lead to Google cache poisoning where Google replaces its internal links to garbage, especially if the other site is popular.

Posted by: mallchin
Insert Quote
A couple of key security measures to note are:

Never put Access Control/Permissionslogic into templates (this is a real no-no)

Uninstall unused templates, modules, mambots and components

These are really quite important in maintaining a tight ship and would solve the points you mention.

very good
point!


The sneaky thing is its SO EASY to forget about something as trivial as a template!

I tend to run through the security post to make sure my new sites are nailed down before I unleash them on the unsuspecting public 

I got that tip from there.

On that note, it seems that the 1.0.11 to 1.0.12 update adds some files for the madeyourweb template.

If you've removed that template in the past you'll have to go manually remove those files.

They're just some images files and index.html files though, so nothing to worry about much.

Hi there,

I have tested out my site with the following link http://www.mysite.com/index.php?jos_cha ... arflare_ii

And to my big surprise the whole template was changed. :o

I have read in earlier posts that joomla should not allow the user to change the template.
I also read that there were feature implemented in their template based on if ( $my->id )  etc.
It was also mentioned that you should never put logic into templates (this is a real no-no).

What can I do to solve my problem? I gues :os that I have to change something in my template html so I searched in my template html for ‘if ( $my- >id )’ and I couldn’t find it back.

I’m using the template designed by Dylan Mouratsing, called Bassnote. It is downloadable from
http://www.mamboportal.com/index.php?se ... ch&Itemid=

I hope someone can tell me what to do in order to prevent anyone from changing my template using index.php?jos_change_template=rhuk_solarflare_ii

Thanks in advance,

You can try inserting this line below into your HTACCESS redirect rules

RewriteCond %{QUERY_STRING} jos_change_template [OR]

*

Note that this will prevent you from changing your template in the front end!

You should still be able to set it as DEFAULT in the admin backend


or, perhaps more simply, just delete all other templates other than the one you are actually using.

Hi Niemothk,

Thanx for responding my post.

I'm planning to do the first option which is inserting the line.
My question: Is the htaccess redirect rules the same as the .htaccess folder in my root.
If yes, should I insert it like this:
#RewriteCond %{QUERY_STRING} jos_change_template [OR]#

If not, where can I find this htaccess redirect rules folder or file?

no.

Since Joomla 1.011, there have been certain rules added to the HTACCESS file that deflects many or most of the hacking attempts.

The following is a snippet of the actual file:

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a