How to prevent extensions to access the server's root directory?

[gba]

Hello all!

I noticed that third party extensions are able to access webserver directories outside of the current installation.

i. e. https://extensions.joomla.org/extension/profiles/:
In the configuration of that extension as a super user I can set the webserver's root directory as 'Root folder'.
This enables super users of any website on my webserver reading and even manipulating (!!) any file of other websites!

This is an extremely dangerous vulnerability!
How can I ensure, that super users and extensions can handle files within the website's root directory, only?

Thank you very much in advance for any useful hint!

Kind regards,
Gerald

[pe7er]

You could limit the read/write/execute permissions of a web server to only the /public_html/ (or whatever your website's root folder is called) folder recursively (and everything under it like /images/ etc).

Note that in some cases it's more secure if Joomla/extensions can write outside your web root.
Think about storing PDF invoices or backups out of reach of any visitors.

[gba]

Hi!

Thank you for your quick response and your advise.

Actually there is a severe need to prevent super users of different website installations from accessing the directories and files of other website installations residing on the same webserver.
How to achieve that?
To me that seems nothing exotic ...

BTW: Why does Joomla open such a severe security hole at all?

Kind regards,
Gerald

[Per Yngve Berg]

Hi!

Thank you for your quick response and your advise.

Actually there is a severe need to prevent super users of different website installations from accessing the directories and files of other website installations residing on the same webserver.
How to achieve that?
To me that seems nothing exotic ...

Run a virtual host of the web server for each site that runs under a separate Linux user. Can be done on a VPS, but probably not on a shared host without a hosting account for each site.

BTW: Why does Joomla open such a severe security hole at all?

It's not Joomla, it's the web server.

[sozzled]

I noticed that [some] third party extensions are able to access webserver directories outside of the current installation.

... This is an extremely dangerous vulnerability!

Thanks for your observations about some third-party extensions that appear to behave in this manner. If people have concerns about third-party extensions that expose security issues with their J! websites, they can report them to the VEL—the Vulnerable Extensions List team—for investigation. Extensions that the VEL team put under the microscope for investigation can then be removed from the JED if those suspicions are proven to be verified. It's then up to the developers of those extensions to remediate such issues before the extensions are permitted to be listed on the JED again.

That's what I would do. I hope this helps.

[gba]

Thank you all for your comments!

As Joomla is targeting not only developers, but also people who do not have abilities in webserver configuration, I see a need for Joomla taking care of avoiding such exploits through its system and its extensions.

Therefore I reported the extension mentioned in my initial post.

But as also any other extension could misuse the Joomla system to exploit all data on a webserver, I am still thinking about Joomla's responsibility to provide with more security using its software.

Any constructive input to this matter (especially by Joomla) is very welcome!

Kind regards,
Gerald