Joomla 1.5 Security


Joomla 1.5 Security

If you use open source software like Joomla, you will often read about security warnings, updates and hacks. People who work at hosting companies can be prime suspects since they have access to so many passwords on shared accounts. And, turnover in some comapnies can be very high. However, the web is rife with individuals who spend their time invading other's space. In the web world, the best you can do is the best you can to defend yourself, then more. Often, there is a solution to your problem. With Joomla 1.5, there are many things you can do to protect yourself. Below, are a few such preparations.

1. Use a custom prefix to help safeguard against sql injections. By default, Joomla uses jos_ and that is what an injector would try to inject into.

2. Disable administrator reset password. Disabling the reset password takes away from anybody who can reset the password with your email address.

a) Open file: components\com_user\models\reset.php

b) Look for:

        // Build a query to find the user
        $query    = 'SELECT id FROM #__users'
                . ' WHERE email = '.$db->Quote($email)
                . ' AND block = 0'
               
c)  Add line:
                . ' AND usertype NOT LIKE \'%Administrator%\'';

3. Alter files components\com_content\views\article\view.html.php and components\com_content\views\frontpage\view.html.php
The idea here is to not allow document revisons. The user could login, but he would not be able to make changes.

        Change:
        $access->canEdit    = $user->authorize('com_content', 'edit', 'content', 'all');
        $access->canEditOwn    = $user->authorize('com_content', 'edit', 'content', 'own');

        Change To:
        $access->canEdit   = $user->authorize('com_content', 'edit', 'content', 'none');
        $access->canEditOwn   = $user->authorize('com_content', 'edit', 'content', 'none');

        Change:
        $access->canPublish    = $user->authorize('com_content', 'publish', 'content', 'all');

        Change To:
        /*$access->canPublish    = $user->authorize('com_content', 'publish', 'content', 'all');*/

4. Download component IP Filter
a) Set login access for the specific user from a specific ip
The admin would only have access from specific computers. If you need to change this in an emergency, use phpmyadmin to adjust ips or delete entry.

5. Install a plugin to redirect backend access. For example, example.com/administrator would create a 404 page error because the admin needs to add code like example.com/administrator/#my_special_code to view a username and password field.

6. Install Joomla Hackguard plugin. The plugin filters $_POST, $_GET and $_COOKIE variables, sanitizes data and more. The plugin is available for Joomla 1.5-2.5. The plugin was designer by the hosting company Siteground.

7. Try to have the latest version and install patches as needed.

Summary:
We have disabled anyone from having the ability to edit content from the front end. We have allowed private entry to the backend. Onle the admin can login to the frontend to edit forums and other components from a specific ip. We have also limited chances for successful sql injections and have filtered tainted code.