Joomla Web Security - Why It Matters
In the modern world of Software Development, there are plenty of people who spend their time being innovative and creative, looking to provide software that meets the demands of an ever-growing user base of customers. Unfortunately, on the other side, there are also those who wish to gain access to your website, your data, and more importantly, your customer data by any means possible. This means you need to be aware of what you have to do to stop this from happening.
Joomla, like any open source application, has a large user base of Developers and Testers around the world. This active network spends a lot of time developing the Joomla CMS. They are also responsible for fixing bugs and releasing new features to keep up with the demand for functionality from the millions of people who use Joomla to run their websites.
There are currently three main versions of Joomla in use. The oldest version is 1.5, the more popular version, 2.5, and most recently version 3.0 which offers a lot more richness in functionality than the previous versions of the CMS.
Things to Consider
As support is dropped for the older versions of Joomla, the knock-on effect is that bugs are no longer fixed which does raise the issue of holes and gaps being exploited. This threat doesn't just come from ethical developers who simply want to raise awareness, but also from those who are keen to break into websites to steal data or deface them in some way. In all such cases, they will gain access to your admin area and have the ability to lock you out of your own website by changing all your access passwords and so on.
Depending on the type of website you have, the risk of exposing not just your data, but that of your customers too, is of paramount importance especially if your country has laws in place to protect data. In the UK for example, there is the Data Protection Act and action does get taken against organisations which fail to protect their customers' interests online.
The primary threat to websites in general (not just limited to Joomla, as badly developed bespoke applications can also be affected) is Cross Site Scripting (XSS).
The ability to conduct XSS attacks relies upon the use of code to exploit weaknesses and open gaps in the core software. They will also target the plugins and components that are built into the site from third party developers.
The Knock-on Effects of the Joomla Update
It is natural for plugin developers to also drop support for their component versions on a version of Joomla that is no longer maintained, and sometimes this provides the perfect scenario for the site to be exploited and the back end exposed through a sustained attack through many different methods of XSS.
Nothing prepares you more for the onset of an attack than having software that is kept up to date. If you're running an older version of Joomla, Wordpress or any other type of open source application, then look for opportunities to upgrade to the latest version.
Unfortunately, this may mean spending both time and money on your website, but it's time and money well spent especially when your website has to comply with international laws, alongside the duty you have to your customers. You also need to ensure your plugins and components are kept up to date, as new versions of Joomla inevitably mean that plugin updates will be close behind.
Download our XSS overview (link to PDF) or click on any of the links below for some more information on XSS.
http://www.xssed.com/article/31/The_Beginners_Guide_to_XSS/
http://binhduong-ug.blogspot.co.uk/2012/11/xss-master-guide-for-all-xperts-and.html
http://www.cgisecurity.com/xss-faq.html
https://www.owasp.org/index.php/XSS