Users registering without registration form being published

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14686
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Users registering without registration form being published

Post by mandville » Tue Aug 11, 2015 12:10 pm

This is a known vulnerability that was fixed in Joomla 3.6.4, you need to update.https://www.joomla.org/announcements/re ... eased.html

This enabled user registration without control, however,
This is not always due to a hack, mostly, it is a site administrators failure.
I have had a spate of new Users appearing in my User Manager.
I am the only authorised user on my sites (Super User) - so how do these spammers get in; and how to block them in future?
I've received email messages from my website, telling me that a new user has registered.
1. There is no user registration form on the website
2. These appear to be hacks
.
The symptom checklist is as follows:
Did you turn off New User Registration in the Options of User Manager? Since J3.4.0
The User Registration option is switched OFF by default for new Joomla installations
If you have upgraded from an older version then you may need to change it yourself:

On all joomla installations, unless the module code is deleted, the registration form is still available even when you don't have a menu item pointing to it. Spam bots are preprogammed with the non sef link to the module (likewise for drupal and wordpress targetting bots)

[*]In Users > User ManagerClick on [Options] (on the right)
on [Component] tab set "Allow User Registration" to No.

Prevention:

If you require users to register but want to cut down on the bot registrations, then on a normal site it is good idea to be using
[*] the self activation part as a lot of bots use fake addresses and wont be able to confirm their registration.
or
[*]you can set new registrations to "public" which means they think they have registered but cant do anything until you raise them to registered level.
or
[*] you can set new registrations to no /disabled
It helps to have captcha installed, meaning one more hurdle for bots and spammers to go through.

Related links

https://docs.joomla.org/Help34:Componen ... figuration
https://docs.joomla.org/Setting_user_re ... ion_policy

Administration discussion topic http://forum.joomla.org/viewtopic.php?f=708&t=892899
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Locked

Return to “Security in Joomla! 3.x”