Joomla 2.5.28 Security Issues

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
incredible
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Sep 22, 2013 11:50 am
Location: Srinagar
Contact:

Joomla 2.5.28 Security Issues

Post by incredible » Sun Jan 18, 2015 1:37 pm

I have developed a site on joomla 2.5 and according to the audit report there are some issues with the website.I couldn't figure out some of them.

here are the issues.

Session does not expire - Make sure when you clicked on back button after logout, it should be redirect to home page instead of previous authenticated pages.

I have tried to set the login module to navigate the page to the homepage after a logout from the user.Now if the user clicks back he still sees the " edit " button for the article there but it won't work for him.Now the problem is that the audit wants me to stop the user from being able to use back button.

HTML Injection ( guest book) - unable to check because link goes to email id with html tag so please stop this html tag also before sending to anywhere.

There is a guest book for comments and the audit says the HTML Injection he does must be stopped.How do i strip the special characters from these textboxes so the HTML Injection is prevented ? I have enabled the text filters to stop HTML tags.They don't seem to work.


No Captcha Implementation – Please implement captcha on login page

i have literally tried all of the things to get the CAPTCHA on the login page.Nothing works.The audit wants to stop the brute force attack.How do i stop the brute force attack on the login page ? The CAPTCHA is implemented on all other pages except for login.Don't know why Joomla doesn't provide the captcha facility for login.

Use encryption technique ( for password )

isn't the password in the joomla encrypted before being sent over network ? he has sent a screenshot where he has used some software that shows the password being sent as a plain text.if it is so why isn't it being encoded for me ? if it is how do i encode it ?

Click jacking - Use X-Frame Option.

Now what is this exactly ?

Improper Input Validation ( contact-us )

Again the contact us input fields are accepting special characters .How do i stop the special characters being added to the fields ? and stop HTML Injection ?

Again - doesn't joomla by default use a autocomplete=off for all the password fields ? how do i set autocomplete off for all of my password fields ?
Technical Lead at Techvity IT Services
E-mail : faheem.r@techvityit.com
Website : http://techvityit.com

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4026
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: Joomla 2.5.28 Security Issues

Post by itoctopus » Mon Jan 19, 2015 3:32 am

Essentially you will need to modify the controller and the view for the affected extensions to comply. For example, filtering the data from special characters must be done at the controller level.

I don't know whether the captcha implementation is a good advice and has anything to do with security.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

incredible
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Sep 22, 2013 11:50 am
Location: Srinagar
Contact:

Re: Joomla 2.5.28 Security Issues

Post by incredible » Mon Jan 19, 2015 6:25 pm

itoctopus wrote: I don't know whether the captcha implementation is a good advice and has anything to do with security.
He says this would prevent the brute force attacks.

can you please be more specific about how i can do it ? change where exactly in the controllers ?
Technical Lead at Techvity IT Services
E-mail : faheem.r@techvityit.com
Website : http://techvityit.com

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: Joomla 2.5.28 Security Issues

Post by Tonie » Mon Jan 19, 2015 7:08 pm

incredible wrote: Use encryption technique ( for password )

isn't the password in the joomla encrypted before being sent over network ? he has sent a screenshot where he has used some software that shows the password being sent as a plain text.if it is so why isn't it being encoded for me ? if it is how do i encode it ?
For an encrypted connection, you will have to enable https for your website. On unsecure links, the password is not encrypted.

Not sure when the audit was done, but one thing that was omitted is that Joomla 2.5 is not supported any more.

incredible
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Sep 22, 2013 11:50 am
Location: Srinagar
Contact:

Re: Joomla 2.5.28 Security Issues

Post by incredible » Thu Jan 22, 2015 1:33 pm

@ Tonie ,

HTTPS is required for the encryption over the network.I am actually seeking to encrypt the actual plain password into a encoded string.
Technical Lead at Techvity IT Services
E-mail : faheem.r@techvityit.com
Website : http://techvityit.com

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: Joomla 2.5.28 Security Issues

Post by Tonie » Thu Jan 22, 2015 1:37 pm

Do you mean the password Joomla connects to the database or a user password?

incredible
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Sep 22, 2013 11:50 am
Location: Srinagar
Contact:

Re: Joomla 2.5.28 Security Issues

Post by incredible » Sat Jan 24, 2015 8:56 pm

a user password from the front end used to login into the site.
Technical Lead at Techvity IT Services
E-mail : faheem.r@techvityit.com
Website : http://techvityit.com

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19666
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Joomla 2.5.28 Security Issues

Post by leolam » Sun Feb 22, 2015 4:12 am

Joomla 2.5 is no longer supported

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services


Locked

Return to “Security in Joomla! 2.5”