Buy Now
Sign in

Joomla CSRF vulnerability

GreyHead , January 07 2008
GreyHead
Hi all,

There have been recent security updates to Joomla 1.5 and to Joomla 1.0.13SVN to protect against Cross-Site Request Forgery. As I understand the problem this is vulnerability means that if you have a site admin session open it is possible for someone to grab your session and act as an admin on your site. This isn't simple and the exploit isn't common - but may become so. Because using ChronoForms may encourage you to keep your admin session open for longer you need to take care.

The best protection is to update to the latest release of Joomla 1.5 or the latest SVN version of Joomla 1.0.13 (a new release is expected in the next few weeks). These have spoof-check functions built into the core code.

If you can't upgrade and your site remains vulnerable then Phil Taylor has made the following recommendations:
  1. ALWAYS click LOGOUT in Joomla Admin when you finish
  2. NEVER browse other websites while logged in to Joomla Admin
  3. If you allow users to upload/modify your site through any third party component then don’t browse/or limit your surfing of your own site while logged in to Joomla Admin
  4. NEVER click on links to “Upgrade this component” in 3rd Party Components
  5. NEVER browse forums while logged into Joomla Admin
Phil has also suggested that a secure workaround it to access your site admin using the Mozilla Prismdesktop application. This means that your admin session is never available on the web though your browser.

Bob

PS Chronoforms current releases (like most other extensions) do not include the admin spoof-check functions that are in the current core code. I'm hoping that Max will add them for the next releases.
ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much
GreyHead
Joomla 1.0.14 has now been released - you can download here

Bob
ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much