Check out my new Security, Auditing, Monitoring and Backup service for Joomla - myJoomla.com
A lot of talk has gone on recently regarding CSRF and Joomla 1.0.13/1.5. CSRF is a problem for all web based applications and the upcoming Joomla 1.0.14 and Joomla 1.5 stable have both been hardened against such security vulnerabilities. Hardened, not made secure, as it is practically impossible to secure against each and every CSRF there is without interrupting workflow. Joomla, as do most other webapps, has made it as difficult as possible to use CSRF to hack a Joomla site.
The advice issued by ourselves recently is still just as valid now as it will be when Joomla 1.0.14/1.5 are released – Please follow these rules:
– ALWAYS click LOGOUT in Joomla Admin when you finish
- NEVER browse other websites while logged in to Joomla Admin
- If you allow users to upload/modify your site through any third party component then don’t browse/or limit your surfing of your own site while logged in to Joomla Admin
- NEVER click on links to “Upgrade this component” in 3rd Party Components
- NEVER browse forums while logged into Joomla Admin
However, there is always a better, more secure option,
Prism (formerly, Webrunner) is a prototype application that lets users split web applications out of their browser and run them directly on their desktop. What this really means in non-techie speak is that you can launch a scaled down web browser in its own process and use that to administrator your Joomla Site. Prism is a scaled down Firefox web browser that is designed for web applications – so already its more secure as its not Internet Explorer based
We have been highly active in using webrunner/prism since the first release – and we are addicted.
Once you have prism installed, simply double click its icon and you will be prompted to give a URL and NAME (and a few optional options).
For the URL set this as your admin console – like http://www.mysite.com/administrator/
and the NAME set to “Administrator for mySite” – also check the desktop shortcut icon.
Then you will be promptly shown your admin page – you can now login securely and continue administrating your Joomla site in Prism and NOT IN YOUR REGULAR BROWSER – this creates separation between your normal surfing and your Joomla Administrator.
By doing this you 100% protect yourself from the CSRF vulnerability reported in Joomla and other web apps – once you get addicted (as are we) to Prism you will never use your browser for web applications again!!!
Hope you like the tip!