I spent the past few days in the VERY unpleasant situation where I had to remove tons of spam-sending scripts from a couple of websites I host. These were in relation to unsecured, unmaintained Joomla! installations, and exploited the cache folder. I won't bother you with the why or how, just know that the vulnerability existed, and has been fixed for versions 2.x and up -- NOT 1.x. Here's the simple way to secure yourself without changing the Joomla site code.
My position is an ackward one - I started receiving tons of complaints, and got one of my server IPs blacklisted, all because a person who bought a Joomla site a few years ago (built on 1.5) got infected. There are methods to patch it, but that would involve me changing files in his installation, and I don't want to do that.
What I can do, is apply a simple fix that secures his domain from the attack. Here's how this vulnerability works:
- a malicious user on the internet, can make Joomla upload a file from wherever, to the server that hosts the site (on ANY directory that the user has permission)
- the malicious user uploads a PHP file
- the PHP file is accessed multiple times, each time launching either a spam-mail barrage, or attacks to other services, as part of a DDoS attempt
Any server setup worth its salt will have proper permissions in place, allowing the user to ONLY upload files in his own space. Joomla has a cache folder under its root, which is writeable, and usually serves as a target.
The nice part is that normally, that folder only contains assets that can be treated as static (ie HTML, CSS etc), not PHP files. That means that the best defense would be to disable PHP entirely for that folder, which can be easily achieved by uploading a simple htaccess file to that folder!
Here's what to do:
- create a file with any name locally
- paste the following lines in it
RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3 php_flag engine off
- upload it into the cache folder
- change permissions to readonly
- rename to .htaccess (make sure your client can "view hidden files")
Any PHP file uploaded there will now be treated as a simple text file - not code. You can apply this to any folder that you know will never contain PHP files, for peace of mind.
Hope this helps someone, let me know if you make any improvements upon it!