In the last few weeks, Joomla! sites have garnered increased attention from the hacking community. This has led to the discovery of several security vulnerabilities in the Joomla! 1.0.x core (which have been addressed by this 1.0.11 release) and 3rd Party extensions.
Therefore it is of prime importance that security be at the top of your priorities. To that end you are strongly encouraged to read through the Security Checklist - put together by Security Forum Moderator (rliskey):
http://forum.joomla.org/index.php/topic,81058.0.html
.htaccess
One easy way to block the majority of current exploit attempts is to utilise the .htaccess rules - put together by our Quality & Testing Techincal Lead (RobS):
http://forum.joomla.org/index.php/topic,75376.0.html
These extra .htaccess rules are now part of the Joomla! core as of this 1.0.11 release in the file htaccess.txt.
However if you are upgrading your site, then you will need to manually insert the rules to your .htaccess file yourselves.
This additions to the .htaccess file will help in protecting vulnerable third-party extensions against such attacks.
You are strongly encouraged to implement these into all your existing and future Joomla! sites.
PHP Settings
There are two particular PHP settings which help increase dramatically the security of your site, specially if software contains yet unknown vulnerabilities. As a matter of fact, sites with these settings set correctly have been saved from most last attacks to 3PD extensions:
- Register Globals
- Magic Quotes
You need to ensure that these two settings are set to:
- Register Globals = `OFF`
- Magic Quotes= `ON`
for your system.
To check the value of these settings, go to the System Info page in your Backend end Administrator area (System -> System Info).
Core Settings
There is also one Joomla! Core setting that can pose a potential security threat:
- Register Globals Emulation (RG_Emulation)
Your system is safest when this setting is set to `OFF`.
However, by default Joomla! 1.0.x releases have this setting set to `ON`, as in previous releases. This is because a number of 3rd party extensions are not yet written to work with this setting set to `OFF` and will not function properly. Therefore it has been decided to keep it `ON` by default in Joomla! 1.0.11, to avoid incompatibilities during this highly recommended Joomla! critical core update, and allow you to update safely Joomla! before reviewing your extensions compatibility and setting this parameter to OFF when appropriate for your site.
However, we suggest that you test to see if your site and its extensions will continue to work properly with this setting set to `OFF` as your site will be far more secure when run in this environment.
You can find a discussion thread here about extensions which do not work correctly when this setting is set to `OFF`, and listing updates and ways to fix these extensions so they will work correctly in this environment.
In Joomla! 1.5, `Register Globals Emulation` will be set to `OFF by default`.
To change this setting to `OFF`, you need to edit your globals.php file (found in your sites root directory) and look for the line:
define( 'RG_EMULATION', 1 );
And change the setting to:
define( 'RG_EMULATION', 0 );