Among the different online content management platforms available, Joomla is preferred for its flexibility and improved security. Yet, this doesn’t stop hackers from prying into your site's vulnerabilities to exploit them. Regardless of the type of website and security level, websites are always susceptible to being hacked. Most times this is due to the use of vulnerable 3rd party extensions.

Joomla is developed by expert developers and has a strong security model to combat vulnerabilities in web applications. Security holes being introduced in the web applications are mostly the consequences of poorly coded extensions that don’t implement the Joomla security model. That is why it is quite critical to choose an extension from a reputed provider. In this post, we'll cover the most common types of vulnerabilities, and how they can be prevented when creating custom Joomla extensions. 

Common Vulnerabilities and their Fixes in Joomla

You can download sample code where these vulnerabilities are correctly handled here

HTML Injection 

HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences like - account takeover or more generally, allow an attacker to modify the page content seen by the victims.

This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. 

Solution - Use filter - safehtml to strip all HTML tags

Example

Here we are using the filter safehtml to save user input data (Last Name) free of any sort of HTML code. The example below shows how to use the filter to save the Last Name.

<field name="lname" type="text" label="COM_SCHOOL_FORM_LBL_STUDENT_LNAME" description="COM_SCHOOL_FORM_DESC_STUDENT_LNAME" required="true" filter="safehtml"/>

Sometimes vulnerabilities in other parts of code allow injection of payloads in the database. In such a case, our web application must not execute any malicious code on the client-side even if the database is infected. Hence - Only storing the data in a sanitized manner is not enough. We must also use filters to display this data in a safe way. 

The example below demonstrates how we can use this->escape() function to sanitize data from a database and display it to the user such that - no malicious HTML or javascript payloads are executed in the user’s browser.

<?php echo $this->escape($item->fname . ' ' . $item->lname); ?> 

SQL Injection

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. To prevent this, any user inputs should be escaped before substituting in a query.

Solution - Use function $db->escape() and $db->quote() while accepting the user input data.

Example

The code below is written such that the search query is executed only after all the user input is sanitized for any possible SQLInjection payloads. 

$search = Factory::getApplication()->input->get('search', '', 'STRING');
$search = $db->quote('%' . $db->escape($search) . '%');

Here we are using function $db->escape() to sanitize all the data received in the search query from a user. Here we can also typecast the user input data to only allow integers or characters etc. 

If the above function is not used - a single quote will be enough to break the SQL query syntax and the attacker will be able to inject and run his SQL query of choice on the webserver. 

XSS (Cross-Site Scripting)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. 

XSS can cause a variety of problems for the end-user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve the disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.

Solution - There must be a validation of user input data on the client-side and server-side as well before it is stored in the database.

For client-side validation - We can use appropriate validate classes on the client-side to avoid accepting malicious javascript payloads directly into the form field. It’s also possible to use custom javascript to validate user input at the client-side.

Server-side validation - For server-side validation, we must define proper filters in the XML files to sanitize input. If accepting strings they must be properly escaped before storing in database. ( example - JFactory::getDBO()->escape() )

<field name="description" type="text" label="COM_SCHOOL_FORM_LBL_DESC" description="" required="true" filter="RAW"/>

Here for the description - we have used WORD filter to only accept alphabets and underscores.

For server-side validation - Use trim to get rid of unwanted whitespaces at the beginning and end of user input. Then use function JFactory::getDBO()->escape() to apply htmlspecialchars() and/or htmlentities() functions as applicable to the user input data to escape javascript payloads and then store in the database. 

$data['description'] = JFactory::getDBO()->escape($data['description']);

But sometimes the data retrieved from the database is decoded in the browser. Alternately, you may not want to escape before storing in database. In such cases, the javascript payloads get executed in the browsers, leading to potential vulnerabilities. To prevent this, the data fetched from the database must escaped before displaying.

<?php echo $this->escape($item->description); ?>

Summary

Along with these mechanisms, there are many more - for developers to take care while writing secure code. We will discuss the same in more blogs to come.

For a secure Joomla website, you must gain real experience, or get experienced help from others. There are many aspects to deal with while implementing a secure Joomla website. And who knows this better than the folks at Techjoomla. Being one of India’s biggest Joomla companies and having experience of more than 12 years - We have a wide range of extensions and services available, all with high levels of security standards to satisfy all your requirements. Check out our few extensions here or you can contact us here for custom requirements.