• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
8 Simple Ways to Hack Your Joomla

8 Simple Ways to Hack Your Joomla



A presentation by Tenko Nikolov (@tnikolov) on Joomla World Conference 2013 about the most common ways to get your Joomla site hacked.

A presentation by Tenko Nikolov (@tnikolov) on Joomla World Conference 2013 about the most common ways to get your Joomla site hacked.



Total Views
Views on SlideShare
Embed Views



5 Embeds 89

http://librosweb.es 32
http://www.scoop.it 32
https://twitter.com 19
http://cybersec.moreforum.com 5
http://www.linkedin.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.


8 Simple Ways to Hack Your Joomla 8 Simple Ways to Hack Your Joomla Presentation Transcript

  • “8 simple ways to hack your Joomla!” Tenko Nikolov @tnikolov JWC’13
  • a few words about me Partner & CEO, SiteGround Founder, 1H - www.1h.com 17+ years of IT Experience Graduated Law School... Passionate photographer Performance addict Security freak
  • SiteGround is the home of 100,000 Joomla! sites
  • we face hundreds if not thousands of security attacks per day
  • “Why would somebody hack me?”
  • Hackers don’t really care about your site. All they care is to send some spam.
  • “Security is a not a product, but a process.” If anybody tells you your site is unhackable, that guy is a liar!
  • 1. Outdated Joomla! Core
  • Quick demo.. ..of Joomla! file upload security bug
  • more info on the hack • All versions before 3.1.5 and 2.5.14 are vulnerable • Can be executed by any user, no admin rights needed • The attacker can obtain full access to Joomla! and its surrounding userspace
  • More info on the hack Joomla! http://goo.gl/8YwZIk! ! Sucuri! http://goo.gl/WjLKGm! ! SiteGround! http://goo.gl/NWkZTz
  • Always update! There is no excuse for not updating!
  • Use software to get notified and update Joomla! Core
  • Admin Tools https://www.akeebabackup.com/products/admin-tools.html ! ! Watchful.li https://watchful.li/features/
  • SiteGround does automatic Joomla! Updates too ;) Remember to create a backup before updating.
  • Read security bulletins ! Joomla! Security News: http://feeds.joomla.org/JoomlaSecurityNews ! Sucuri: http://blog.sucuri.net/?s=joomla
  • 2. Extensions
  • • Here’s a Scenario: • Your site is up to date • Your extensions are up to date • But you still get hacked… • Wonder why?
  • Extension vulnerabilities • Sometimes when vulnerability in an extension is found, it takes the extension developers too much time to fix it. • Therefore it’s always good to use a WAF! • WAF = Web Application Firewall
  • Popular WAFs
  • “ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server, IIS and NGINX. ModSecurity is a web application layer firewall. ModSecurity is free software released under the Apache license 2.0.” -Wikipedia
  • SiteGround adds more than 200 mod_sec rules every week.
  • example mod_sec rule !!!!!!!!!!!#!30.Sep.2013! !!!!!!!!!!!#!joomla!com_seminar!Cross!site!scripting!Vulnerability! !!!!!!!!!!!#!http://cxsecurity.com/issue/WLBD2013090184! !!!!!!!!!!!SecFilterSelective!REQUEST_FILENAME!"index.php"!"chain,id:00680"! !!!!!!!!!!!SecFilterSelective!ARG_option!"com_seminar"!chain! !!!!!!!!!!!SecFilterSelective!ARG_search!"onmouseover"
  • CloudFlare and Incapsula are advanced mod_security alike FREE services which add a CDN functionality.
  • More Security Bulletins Joomla! Extensions Security News: http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
  • 3. Themes
  • “Templates are software, not just a bunch of graphics. Template developers do release security upgrades all the time. Make sure you install them. I've seen many sites getting hacked because of a dated template with a SQL injection or XSS vulnerability.” -Nicholas Dionysopoulos
  • Example RocketTheme SQL injection in their modules! ! http://www.rockettheme.com/blog/extensions/1300-important-securityvulnerability-fixed !
  • WAF is good for themes too.
  • 4. Weak passwords
  • Let me tell you a story…
  • On April 9th we got hit by a huge brute force attack towards many Joomla!s
  • bots used more than a thousand different IPs per server to scan for passes… … and we blocked more than 92,000 IPs in total across our network in just
  • In 12 hours we blocked more than 15 million login requests But still, we thought many passwords were guessed
  • We then tried to brute force our clients ourselves. And we were shocked how many passwords we found.
  • Over 40% of our customers used Really Weak passwords. Like REEEEEALLLY WEAK!
  • Let me show you how easy it is to crack a dumb password, say: “admin123” Username is admin
  • So in less than 10 seconds I’ve got your password
  • Tip: Change your password to full sentence it’s easy to remember and hard to guess like: ! “I love to watch the sunset.”
  • Tip 2: Change your username! admin2 is not acceptable too ;) Try with yourname_adm1n
  • Tip 3: Implement captcha on your login page
  • 5. Outdated Server Software
  • Old PHP 5.3 running as CGI remote execution exploit http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
  • Quick demo how it works: http://testdomainname.com/j25/index.php?-s
  • MySQL p a s s w o r d - l e s s a u t h s e c u r i t y vulnerability. All 64bit MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable http://blog.sucuri.net/2012/06/security-vulnerability-in-mysql.html
  • Make sure your server side software is current at all times.
  • 6. Incorrectly configured server software
  • Apache Symlinks bug http://seclists.org/fulldisclosure/2013/Aug/81
  • 7. Joomla! Permissions
  • Correct Joomla! Permissions set • Folders: 755 • Files: 644 • configuration.php 444
  • Incorrect Joomla! Permissions set • All: 777 • Anything more than 755
  • It’s a must to have account isolation, when hosted on shared.
  • 8. Malware
  • Viruses and Trojans steal your login details. They want to spam, remember?
  • Stay up to date on anti-virus software. Or use Linux.. Or a Mac ;)
  • So let’s recap… • Update your Joomla! • Update your extensions. Read security bulletins ones in a while. • Update your themes. Don’t forget that! • Use strong passwords and non default admin usernames. • Make sure your server side software is current (PHP, Apache) • Make sure your server side software is correctly setup • Use correct file permissions for Joomla! • Watch up for that sneaky malware
  • Questions?
  • In case you wondered - here’s my test environment • CentOS 6 64bit VM with 2.6.32 kernel • Apache/2.2.25 (latest) • PHP 5.3.10 (latest is 5.3.27) • Joomla! 2.5.13
  • Thank you!
  • Tenko Nikolov @tnikolov tenko@siteground.com