How to prevent extensions to access the server's root directory?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
gba
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue Jun 03, 2014 3:37 pm

How to prevent extensions to access the server's root directory?

Post by gba » Thu Oct 01, 2020 2:26 pm

Hello all!

I noticed that third party extensions are able to access webserver directories outside of the current installation.

i. e. https://extensions.joomla.org/extension/profiles/:
In the configuration of that extension as a super user I can set the webserver's root directory as 'Root folder'.
This enables super users of any website on my webserver reading and even manipulating (!!) any file of other websites! :eek:

This is an extremely dangerous vulnerability!
How can I ensure, that super users and extensions can handle files within the website's root directory, only?

Thank you very much in advance for any useful hint!

Kind regards,
Gerald

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22806
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: How to prevent extensions to access the server's root directory?

Post by pe7er » Thu Oct 01, 2020 2:46 pm

You could limit the read/write/execute permissions of a web server to only the /public_html/ (or whatever your website's root folder is called) folder recursively (and everything under it like /images/ etc).

Note that in some cases it's more secure if Joomla/extensions can write outside your web root.
Think about storing PDF invoices or backups out of reach of any visitors.
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

gba
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue Jun 03, 2014 3:37 pm

Re: How to prevent extensions to access the server's root directory?

Post by gba » Thu Oct 01, 2020 3:02 pm

Hi!

Thank you for your quick response and your advise.

Actually there is a severe need to prevent super users of different website installations from accessing the directories and files of other website installations residing on the same webserver.
How to achieve that?
To me that seems nothing exotic ...

BTW: Why does Joomla open such a severe security hole at all?

Kind regards,
Gerald

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27205
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: How to prevent extensions to access the server's root directory?

Post by Per Yngve Berg » Thu Oct 01, 2020 3:47 pm

gba wrote:
Thu Oct 01, 2020 3:02 pm
Hi!

Thank you for your quick response and your advise.

Actually there is a severe need to prevent super users of different website installations from accessing the directories and files of other website installations residing on the same webserver.
How to achieve that?
To me that seems nothing exotic ...
Run a virtual host of the web server for each site that runs under a separate Linux user. Can be done on a VPS, but probably not on a shared host without a hosting account for each site.
gba wrote:
Thu Oct 01, 2020 3:02 pm
BTW: Why does Joomla open such a severe security hole at all?
It's not Joomla, it's the web server.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9724
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: How to prevent extensions to access the server's root directory?

Post by sozzled » Thu Oct 01, 2020 8:39 pm

gba wrote:
Thu Oct 01, 2020 2:26 pm
I noticed that [some] third party extensions are able to access webserver directories outside of the current installation.

... This is an extremely dangerous vulnerability!
Thanks for your observations about some third-party extensions that appear to behave in this manner. If people have concerns about third-party extensions that expose security issues with their J! websites, they can report them to the VEL—the Vulnerable Extensions List team—for investigation. Extensions that the VEL team put under the microscope for investigation can then be removed from the JED if those suspicions are proven to be verified. It's then up to the developers of those extensions to remediate such issues before the extensions are permitted to be listed on the JED again.

That's what I would do. I hope this helps. 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

gba
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue Jun 03, 2014 3:37 pm

Re: How to prevent extensions to access the server's root directory?

Post by gba » Wed Oct 07, 2020 10:20 am

Thank you all for your comments!

As Joomla is targeting not only developers, but also people who do not have abilities in webserver configuration, I see a need for Joomla taking care of avoiding such exploits through its system and its extensions.

Therefore I reported the extension mentioned in my initial post.

But as also any other extension could misuse the Joomla system to exploit all data on a webserver, I am still thinking about Joomla's responsibility to provide with more security using its software.

Any constructive input to this matter (especially by Joomla) is very welcome!

Kind regards,
Gerald


Post Reply

Return to “Security in Joomla! 3.x”