If your website is run on Joomla, Drupal, CiviCRM
then your site is at risk of being hacked.
Joomla, Drupal and CiviCRM developers often release
security patches, which ﬁx security vulnerabilities
with their software.
Your website (code) needs to be patched regularly
with security updates (just like your computer) to keep
it secure, in combination with other strategies.
How did this happen?
Allows an attacker to:
Execute commands as another user.
Access data contrary to the speciﬁed access restrictions for
Pose as another entity.
Conduct a denial of service.
Conduct information gathering activities.
Hide activities. The google search shows an example
of an attacker hiding links in your site that redirect your
users to their website!
Includes a capability that behaves as expected, but can
be easily compromised.
What is a software vulnerability?
3. What Actually Executes
SELECT Username, Password FROM Users
WHERE Username = '' OR 1=1 #' and
Password = ''
2. Login Code
The developer’s code to check logins:
$check = mysql_query("SELECT
Username, Password, UserLevel FROM
Users WHERE Username = '".
$_POST['username']."' and Password = '".
1. User Logs In
User enters ‘ OR 1=1 # as
4. The Result?
# is a comment in MySQL, and 1=1 will
always be TRUE. Thus, the login code
returns all users, and logs in the ﬁrst user
in the database (typically an admin user).
A software vulnerability example
Source: Australian Government
Department of Defence 2013
The Open Web Application Security Project - owasp.org. Community
dedicated to enabling organisations to develop, purchase and maintain
applications that can be trusted.
1. Injection - i.e. The login example
2. Cross Site Scripting
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-site Request Forgery
6. Security Misconﬁguration - i.e. Ensure users have appropriate access.
7. Insecure Cryptographic Storage - i.e. Don’t store sensitive information
without appropriate encryption.
8. Failure to restrict URLs - i.e. Ensure sensitive information requires login.
9. Insufﬁcient Transport Layer Protection (No SSL when required) i.e. Use an SSL
certiﬁcate when appropriate.
10. Unvalidated Redirects and Forwards i.e. When you host with us, we install
tools that proactively protect your site for added security.
OWASP Top 10 Risks
1. Use maintained website platforms and modules:
Use well known software and modules that don’t feature regularly on the Joomla
and Drupal vulnerable extensions list.
2. Don’t use Joomla 1.5 or Drupal 6!
If you have a Joomla v1.5 site or Drupal v6 site contact Energetica about
upgrading your site. There are many known security vulnerabilities with these
versions and we recommend not using them in production.
3. Apply Security Updates when released. We can proactively update core
Drupal, CiviCRM and Joomla versions when security updates are released as
part of our support packages.
4. Limit administration privileges. Perform regular audits of users and their
5. Patch the OS. We routinely patch our web hosting servers with the latest
Prevention better than cure
and enter your website.
See the links shown are
ones you expect or know!
The example shows
Energetica’s website. All
of the links returned are
valid for us.
If you are unsure of the
results of your scan,
discuss them with us.
If your site has been
hacked, Energetica can
remove the hack and
help prevent it from
Free Quick Check