We write this blog post with sadness. On the 4th December 2007 a nice white hat hacker notified the Joomla Core Development team of a CSRF Vulnerability in Joomla 1.0.13 and Joomla 1.5 RC3.There have been many reports of these vulnerabilities around the web since then.

The nature of the vulnerability means that your site cannot be hacked while you sleep (like many of the other types of 3rd party component issues), but requires you (the sites Super Admin) to be logged into Joomla Admin while at the same time surfing sites (maybe even your own) that contain links to [THINGS] that send [NAUGHTY] requests back to your Joomla Admin Console without you knowing. This can lead to complete disaster and even complete server compromise.

The Joomla Developers took only 4 days to fix this in Joomla 1.5 SVN and then shortly after released Joomla 1.5 RC4 stating they had fixed this category A5 Security [High] Vulnerability.

To date, no changes and no attempts by the core development team have been made to the Joomla 1.0.13+ SVN tree to fix this vulnerability in Joomla 1.0.13 Update: Changes are now in SVN for the next version of Joomla 1.0.x – about time!

In an effort to assist them we spent a few hours and backported code from Joomla 1.5 RC4 to Joomla 1.0.13 and made all the changes required to fix Joomla 1.0.13 and make it secure from this type of vulnerability.

Details of this can be found in the following forum thread:

http://forum.joomla.org/index.php/topic,248109.msg1136076.html#msg1136076

I personally emailed all three lead developers with the same information as I published there, including providing the diff/patch files to Joomla 1.0.13. I have been assured that once Joomla 1.5 stable is released time will be spent on fixing this issue in Joomla 1.0.13 (I object to this – why take 4 days to fix unreleased software and over 4 weeks to fix software running on millions of sites already?!?)

Here is my professional advice to help you stay safe from the known and publish vulnerability until the next version of Joomla 1.0.x is released.

The number one bit of advice I can give all site admins at the moment is to – LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet in other tabs/browser windows while administrating your Joomla site, and if you allow users to modify your site’s frontend, be careful not to surf your frontend as well while logged in.

Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources, if these components choose they can use this vulnerability to do[BAD] things…

Follow @blueflameit