Hello all!
I noticed that third party extensions are able to access webserver directories outside of the current installation.
i. e. https://extensions.joomla.org/extension/profiles/:
In the configuration of that extension as a super user I can set the webserver's root directory as 'Root folder'.
This enables super users of any website on my webserver reading and even manipulating (!!) any file of other websites!
This is an extremely dangerous vulnerability!
How can I ensure, that super users and extensions can handle files within the website's root directory, only?
Thank you very much in advance for any useful hint!
Kind regards,
Gerald
How to prevent extensions to access the server's root directory?
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Enthusiast
- Posts: 117
- Joined: Tue Jun 03, 2014 3:37 pm
- pe7er
- Joomla! Master
- Posts: 25057
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: How to prevent extensions to access the server's root directory?
You could limit the read/write/execute permissions of a web server to only the /public_html/ (or whatever your website's root folder is called) folder recursively (and everything under it like /images/ etc).
Note that in some cases it's more secure if Joomla/extensions can write outside your web root.
Think about storing PDF invoices or backups out of reach of any visitors.
Note that in some cases it's more secure if Joomla/extensions can write outside your web root.
Think about storing PDF invoices or backups out of reach of any visitors.
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
-
- Joomla! Enthusiast
- Posts: 117
- Joined: Tue Jun 03, 2014 3:37 pm
Re: How to prevent extensions to access the server's root directory?
Hi!
Thank you for your quick response and your advise.
Actually there is a severe need to prevent super users of different website installations from accessing the directories and files of other website installations residing on the same webserver.
How to achieve that?
To me that seems nothing exotic ...
BTW: Why does Joomla open such a severe security hole at all?
Kind regards,
Gerald
Thank you for your quick response and your advise.
Actually there is a severe need to prevent super users of different website installations from accessing the directories and files of other website installations residing on the same webserver.
How to achieve that?
To me that seems nothing exotic ...
BTW: Why does Joomla open such a severe security hole at all?
Kind regards,
Gerald
- Per Yngve Berg
- Joomla! Master
- Posts: 31086
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: How to prevent extensions to access the server's root directory?
Run a virtual host of the web server for each site that runs under a separate Linux user. Can be done on a VPS, but probably not on a shared host without a hosting account for each site.gba wrote: ↑Thu Oct 01, 2020 3:02 pm Hi!
Thank you for your quick response and your advise.
Actually there is a severe need to prevent super users of different website installations from accessing the directories and files of other website installations residing on the same webserver.
How to achieve that?
To me that seems nothing exotic ...
It's not Joomla, it's the web server.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: How to prevent extensions to access the server's root directory?
Thanks for your observations about some third-party extensions that appear to behave in this manner. If people have concerns about third-party extensions that expose security issues with their J! websites, they can report them to the VEL—the Vulnerable Extensions List team—for investigation. Extensions that the VEL team put under the microscope for investigation can then be removed from the JED if those suspicions are proven to be verified. It's then up to the developers of those extensions to remediate such issues before the extensions are permitted to be listed on the JED again.
That's what I would do. I hope this helps.
-
- Joomla! Enthusiast
- Posts: 117
- Joined: Tue Jun 03, 2014 3:37 pm
Re: How to prevent extensions to access the server's root directory?
Thank you all for your comments!
As Joomla is targeting not only developers, but also people who do not have abilities in webserver configuration, I see a need for Joomla taking care of avoiding such exploits through its system and its extensions.
Therefore I reported the extension mentioned in my initial post.
But as also any other extension could misuse the Joomla system to exploit all data on a webserver, I am still thinking about Joomla's responsibility to provide with more security using its software.
Any constructive input to this matter (especially by Joomla) is very welcome!
Kind regards,
Gerald
As Joomla is targeting not only developers, but also people who do not have abilities in webserver configuration, I see a need for Joomla taking care of avoiding such exploits through its system and its extensions.
Therefore I reported the extension mentioned in my initial post.
But as also any other extension could misuse the Joomla system to exploit all data on a webserver, I am still thinking about Joomla's responsibility to provide with more security using its software.
Any constructive input to this matter (especially by Joomla) is very welcome!
Kind regards,
Gerald