• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Joomla is the second popular CMS for a website with more than 4.5% of market share and growing.

    Security is as important as website design and content, but we often ignore this until negatively impacted. Not correctly configured/hardened Joomla server can be vulnerable to many including remote code execution, SQL Injection, Cross-Site Scripting, Information leakage, etc.

    Security is a process cycle, which one should always perform against web applications. In this article, I will talk about tools to scan the Joomla website for vulnerability to protect from evil.

    Hacker Target

    Joomla security scan by Hacker Target has two options.

    Passive scan – this is a FREE scan, and it does the following.

    • Google safe browsing look-up
    • Directory index lookup
    • External link and their web reputation
    • List of external iFrames, JavaScript
    • Geolocation & web hosting lookup

    Aggressive, active scan – this requires membership and check aggressively to detect known exploits and vulnerabilities in themes, extensions, modules, components & Joomla core.

    SiteGuarding

    SiteGuarding is a cloud-based website security scanner which also provides Joomla extension to analyze your website.

    In the FREE version of the extension, you get the following.

    • Scan up to 500 files
    • Daily virus database update
    • Reporting
    • One scan per day
    • Heuristic logic

    You may also want to try their Antivirus Scanner extension.

    Detectify

    Detectify is an enterprise-ready SaaS scanner for comprehensive website auditing with more than 1000 vulnerabilities including OWASP top 10. It does security checks on CMS like Joomla, WordPress, Drupal, etc. to ensure CMS specific vulnerabilities are covered.

    It is not entirely free but you can avail their trial offer to see how it works.

    JAMSS

    JAMSS (Joomla Anti Malware Scan Script) is a script that you got to install on your website root location.

    Script installation is nothing but uploading the file jamss.php common to your webroot. JAMSS identifies typical fingerprints, traces that could have been compromised. The script doesn’t harm anything and to access the scan report; you just access yourwebsite.com/jamss.php

    SUCURI

    Site Check by SUCURI check for known malware, blacklisting, SPAM, defacement and give you information on a web server, links & included scripts.

    Security Check

    Security Check extension protects your website for more than 90 attacks pattern, and it has an inbuilt vulnerability check to test installed extensions for any security risk.

    Joomscan

    Joomscan is one of the most popular open-source tools to help you in finding known vulnerabilities of Joomla Core, Components, and SQL Injection, Command execution. There are two ways you can get this running.

    • Download from OWASP site and install on your PC
    • Use Kali Linux which comes with more than 600 tools including Joomscan

    Once you have Joomscan installed, here is how you can run it on the Joomla site to scan the vulnerability.

    ./joomscan –u http://joomlawebsite.com

    Ex, I executed my test site.

    [email protected]:~# joomscan -oh -u http://techpostal.com
    ..|''||   '|| '||'  '|'      |           .|'''.|  '||''|.  
    .|'          ||   '|. '|.  .'          |||          ||..  '   ||   ||
    ||           ||   ||  ||  |            |  ||        ''|||.   ||...|'
    '|.          ||           ||| |||       .''''|.  .    '||  ||      
    ''|...|'      |   |        .|.  .||. |'....|'  .||.  
    =================================================================
    OWASP Joomla! Vulnerability Scanner v0.0.4  
    (c) Aung Khant, aungkhant]at[yehg.net
    YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
    Update by: Web-Center, http://web-center.si (2011)
    =================================================================
    Vulnerability Entries: 611
    Last update: February 2, 2012
    Use "update" option to update the database
    Use "check" option to check the scanner update
    Use "download" option to download the scanner latest version package
    Use svn co to update the scanner and the database
    svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan
    Target: http://techpostal.com
    Server: Apache
    X-Powered-By: PHP/5.4.45
    ## Checking if the target has deployed an Anti-Scanner measure
    [!] Scanning Passed ..... OK
    ## Detecting Joomla! based Firewall ...
    [!] No known firewall detected!
    ## Fingerprinting in progress ...
    Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009.
    ~Unable to detect the version. Is it sure a Joomla?
    ## Fingerprinting done.
    Vulnerabilities Discovered
    ==========================
    # 1
    Info -> Generic: htaccess.txt has not been renamed.
    Versions Affected: Any
    Check: /htaccess.txt
    Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
    Vulnerable? Yes
    # 2
    Info -> Generic: Unprotected Administrator directory
    Versions Affected: Any
    Check: /administrator/
    Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
    Vulnerable? Yes
    # 3
    Info -> Core: Multiple XSS/CSRF Vulnerability
    Versions Affected: 1.5.9 <=
    Check: /?1.5.9-x
    Exploit: A series of XSS and CSRF faults exist in the administrator application.  Affected administrator components include com_admin, com_media, com_search.  Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.  
    Vulnerable? N/A
    # 4
    Info -> Core: JSession SSL Session Disclosure Vulnerability
    Versions effected: Joomla! 1.5.8 <=
    Check: /?1.5.8-x
    Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.  This can allow someone monitoring the network to find the cookie related to the session.
    Vulnerable? N/A
    # 5
    Info -> Core: Frontend XSS Vulnerability
    Versions effected: 1.5.10 <=
    Check: /?1.5.10-x
    Exploit: Some values were output from the database without being properly escaped.  Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
    Vulnerable? N/A
    # 6
    Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability
    Versions effected: 1.5.11 <=
    Check: /?1.5.11-x-http_ref
    Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
    Vulnerable? N/A
    # 7
    Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability
    Versions effected: 1.5.11 <=
    Check: /?1.5.11-x-php-s3lf
    Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
    Vulnerable? N/A
    # 8
    Info -> Core: Authentication Bypass Vulnerability
    Versions effected: Joomla! 1.5.3 <=
    Check: /administrator/
    Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled
    Vulnerable? N/A
    # 9
    Info -> Core: Path Disclosure Vulnerability
    Versions effected: Joomla! 1.5.3 <=
    Check: /?1.5.3-path-disclose
    Exploit: Crafted URL can disclose absolute path
    Vulnerable? N/A
    # 10
    Info -> Core: User redirected Spamming Vulnerability
    Versions effected: Joomla! 1.5.3 <=
    Check: /?1.5.3-spam
    Exploit: User redirect spam
    Vulnerable? N/A
    # 11
    Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
    Versions effected: 1.0.13 <=
    Check: /administrator/
    Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
    Vulnerable? N/A
    # 12
    Info -> CoreComponent: com_content SQL Injection Vulnerability
    Version Affected: Joomla! 1.0.0 <=
    Check: /components/com_content/
    Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
    Vulnerable? No
    # 13
    Info -> CoreComponent: com_search Remote Code Execution Vulnerability
    Version Affected: Joomla! 1.5.0 beta 2 <=
    Check: /components/com_search/
    Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B
    Vulnerable? No
    # 14
    Info -> CoreComponent: MailTo SQL Injection Vulnerability
    Versions effected: N/A
    Check: /components/com_mailto/
    Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1
    Vulnerable? No
    # 15
    Info -> CoreComponent: com_content Blind SQL Injection Vulnerability
    Versions effected: Joomla! 1.5.0 RC3
    Check: /components/com_content/
    Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28
    Vulnerable? No
    # 16
    Info -> CoreComponent: com_content XSS Vulnerability
    Version Affected: Joomla! 1.5.7 <=
    Check: /components/com_content/
    Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc).  This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration.
    Vulnerable? N/A
    # 17
    Info -> CoreComponent: com_mailto Email Spam Vulnerability
    Version Affected: Joomla! 1.5.6 <=
    Check: /components/com_mailto/
    Exploit: The mailto component does not verify validity of the URL prior to sending.
    Vulnerable? N/A
    # 18
    Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability
    Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1
    Check: /components/com_content/
    Exploit: Unfiltered POST vars - filter, month, year  to /index.php?option=com_content&view=archive
    Vulnerable? No
    # 19
    Info -> CoreComponent: com_content XSS Vulnerability
    Version Affected: Joomla! 1.5.9 <=
    Check: /components/com_content/
    Exploit: A XSS vulnerability exists in the category view of com_content.
    Vulnerable? N/A
    # 20
    Info -> CoreComponent: com_users XSS Vulnerability
    Version Affected: Joomla! 1.5.10 <=
    Check: /components/com_users/
    Exploit: A XSS vulnerability exists in the user view of com_users in the administrator panel.
    Vulnerable? N/A
    # 21
    Info -> CoreComponent: com_installer CSRF Vulnerability
    Versions effected: Joomla! 1.5.0 Beta
    Check: /administrator/components/com_installer/
    Exploit: N/A
    Vulnerable? N/A
    # 22
    Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability
    Versions effected: Joomla! 1.5.0 Beta
    Check: /components/com_search/
    Exploit: N/A
    Vulnerable? No
    # 23
    Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability
    Versions effected: N/A
    Check: /components/com_banners/
    Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2
    Vulnerable? No
    # 24
    Info -> CoreComponent: com_mailto timeout Vulnerability
    Versions effected: 1.5.13 <=
    Check: /components/com_mailto/
    Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.
    Vulnerable? N/A

    As you can see above in the results, it’s scanning for more than 20 vulnerabilities and let you know if any found so you can fix and secure Joomla.

    Pentest-Tools

    Joomla Vulnerability Scan by Pentest-Tools is powered by the JoomlaVS tool.

    You can run this test against your site to quickly find out if the core, template, and module is vulnerable. After the test is done, it generates a beautiful report which has all the finding details. It is like performing a penetration test.

    Conclusion

    I hope the above tools help you to scan Joomla for vulnerabilities and keep your website safe and secure. Here are some of the useful resources to keep you up-to-date with Security.