security report on joomla.xml (J!3) Topic is solved

[Thomsterdam]

Hi there,
I received a security warning from a security expert for my website. This is the content of the message:

hello Team
I (...) found a security issue in your system {HIGH}

Title
joomla-manifest-file

Step To Reproduced
https://[mysite]/administrator/manifests/files/joomla.xml

Then there is a list of what is in the file:

2023-11-16 security message.png

The content of the mentioned joomla.xml file is this:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<extension version="3.6" type="file" method="upgrade">
	<name>files_joomla</name>
	<author>Joomla! Project</author>
	<authorEmail>[email protected]</authorEmail>
	<authorUrl>www.joomla.org</authorUrl>
	<copyright>(C) 2019 Open Source Matters, Inc.</copyright>
	<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
	<version>3.10.12</version>
	<creationDate>July 2023</creationDate>
	<description>FILES_JOOMLA_XML_DESCRIPTION</description>

	<scriptfile>administrator/components/com_admin/script.php</scriptfile>

	<update>
		<schemas>
			<schemapath type="mysql">administrator/components/com_admin/sql/updates/mysql</schemapath>
			<schemapath type="sqlsrv">administrator/components/com_admin/sql/updates/sqlazure</schemapath>
			<schemapath type="sqlazure">administrator/components/com_admin/sql/updates/sqlazure</schemapath>
			<schemapath type="postgresql">administrator/components/com_admin/sql/updates/postgresql</schemapath>
		</schemas>
	</update>

	<fileset>
		<files>
			<folder>administrator</folder>
			<folder>bin</folder>
			<folder>cache</folder>
			<folder>cli</folder>
			<folder>components</folder>
			<folder>images</folder>
			<folder>includes</folder>
			<folder>language</folder>
			<folder>layouts</folder>
			<folder>libraries</folder>
			<folder>media</folder>
			<folder>modules</folder>
			<folder>plugins</folder>
			<folder>templates</folder>
			<folder>tmp</folder>
			<file>htaccess.txt</file>
			<file>web.config.txt</file>
			<file>LICENSE.txt</file>
			<file>README.txt</file>
			<file>index.php</file>
		</files>
	</fileset>

	<updateservers>
		<server name="Joomla! Core" type="collection">https://update.joomla.org/core/list.xml</server>
	</updateservers>
</extension>

It looks like there is nothing wrong with what he is warning me about, but I am not a security expert nor a Joomla code expert. I haven't got a clue as to the validity of this warning. Can you tell me if there is something with the manifest file? Can you tell me if I should follow up on this warning?

Thank you in advance.

Thom

[SharkyKZ]

Maybe it's because you are using EOL version of Joomla.

[Thomsterdam]

Maybe it's because you are using EOL version of Joomla.

That may be so, SharkyKZ, our organisation have decided to continue using Joomla 3 using the extended Long Term Support that Joomla have provided. So we are not going to upgrade to Joomla! 4 at this point in time but we need to keep the site safe in any case.
So if there is anyone who can provide information about the security warning I wrote about above, I would be very grateful.

Thom

[brian]

As you are paying for the externaly provided elts then that is the best place to ask

[pe7er]

I suppose that the security expert sees that manifest file as information disclosure.
The manifest lists your Joomla version as 3.10.12, which is indeed End-Of-Life since august 2023.

However, even if you make that .xml file inaccessible (e.g. by protecting your /administrator/ folder with a .htaccess password) then it's still possible to "finger print" the version of your Joomla website.

[Thomsterdam]

Pe7er:
Thanks for your expert advice (as usual). What I have done is activate eLTS for Joomla! 3. As soon as that was done, I received an update from Joomla 3.10.12 to Jooma 3.10.13-elts. This solved the problem. The present manifest file reads

Code: Select all

<version>3.10.13-elts</version>

.

Thanks for the support.

Thom