Web-based Content Management Systems, specifically Joomla! installations.
This Alert was developed as a collaborative effort between Public Safety Canada and the U.S. Department of Homeland Security. This informational note is aimed to raise awareness of important cyber security practices in regard to content management systems, specifically Joomla! installations.
Compromised web servers are increasingly being utilized by malicious actors to carry out cyber attacks, such as distributed denial-of-service attacks against critical infrastructure companies around the world. These web servers offer increased networking and computing capacity compared with average user workstations, and are therefore a target of choice for malicious actors to build their attack infrastructure. For this reason, it is imperative to secure servers according to best practices, and thus limit their exposure to control by potentially malicious actors.
Specifically, the compromised servers running Content Management Systems (CMSs) are consistently targeted and leveraged to launch cyber attacks. CMSs are software suites that allow site administrators to easily manage the design, functionality, and operation of websites with minimal technical expertise. In recent years there has been an increase in the number of deployments of CMS software on the Internet. This has been fueled by popular open source projects which are freely available under General Public License (GPL) model. Unfortunately, some CMS web server operators are not following security best practices, exposing them and others to cyber security risks such as compromise and denial of service.
Joomla! is one of the most widely used CMSs in the world. It is PHP-based and allows rapid deployment of dynamic content on websites. It is recognized for its simplicity of deployment and usage while offering extensive features and plugins. However, like many other large software packages, Joomla! has been the subject of a number of vulnerabilities in recent years and, if left unpatched, can represent a risk for site owners, and any other Internet users.
The Canadian Cyber Incident Response Centre and US-CERT are aware of malicious actors exploiting unpatched CMS installations, primarily Joomla! installations, to gain control of web servers and launch distributed denial-of-service (DDoS) attacks against critical infrastructure organizations.
In general, web site administrators should strive to follow patching instructions from their software providers. Additional security practices and guidance are made available by community efforts such as The Open Web Application Security Project (OWASP) and US-CERT's Technical Information Paper TIP-12-298-01 on Website Security.
Joomla! and other CMS packages regularly update their software as vulnerabilities are reported and patches are developed. The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) provides assessments of such vulnerabilities, accompanied by links to specific remediation activities for users and administrators to follow.
Specifically, administrators of Joomla! CMS servers should ensure their installation includes the latest software version available. Additionally, administrators should consider guidance found under the Joomla! community security section and review the following best practices:
- To the extent possible, maintain moderator control for the creation of user accounts. This may limit the use of automated account creation tools and associated automated posting of malicious content or even site compromise.
- Ensure underlying server operating systems, services and software packages, especially third party plugins, are patched and up-to-date.
- Limit common security threat access by leveraging the security capabilities of the .htaccess file of the Apache web server (or equivalent access control features of Nginx or Microsoft IIS).
- Ensure accounts and files permissions are set properly, including changing the default administration user name and password.
- Enforce strong user password policy.
- Limit version number exposure of extension files by changing their default name to avoid remote automated scanning looking for specific version for which exploits may exist.
- Implement SSL certificates and ensure that non-encrypted sessions fail rather than defaulting to insecure connections. This is especially important in payment processing extension.
- Remove unused services and associated files.
- Consider deployment of a server security monitoring solution including anti-virus. Additionally, security monitoring and logging including administrative login attempts should be considered.
January 24, 2013: Initial release
October 23, 2015: Updated links