Joomla! Help Site - <b>J! EXT:</b> Why isn't un-publishing a vulnerable extension enough to protect my site?

Help Site

1.5 Template Project

The Joomla! Documentation Working Group is running a project to develop detailed reference and tutorial material on Joomla! 1.5 templates. There is a project page on the documentation wiki where you can see the work in progress and help us by contributing your knowledge.

Quicklinks

Joomla! License Details

Translations

Joomla! Developer Network

Framework Overview

API Reference

Dev Document Wiki

The Joomla! Shop presents to you a large collection of Joomla! books, as well as computer and Internet books. Purchase books in your language. This is a great way to support Joomla!

Help Site License

The Joomla! Help Site content is copyright © 2005 - 2008 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution NonCommercial ShareAlike 2.5. Some parts of this website may be subject to other licenses.

Home

FAQs

J! EXT: Why isn't un-publishing a vulnerable extension enough to protect my site?

Author(s):	Rliskey	Experience level:	Beginner
Contributors:		Joomla! version:
Date added:	Monday, 26 March 2007	Date last changed:	Saturday, 07 July 2007

Overview
Simply removing the menu links to an extension, or unpublishing a module is NOT enough to protect your site! As long as the extension's files exist on your server, you are vulnerable. Note how in the following examples an attacker can bypass the Joomla! index file to directly target any file, of any extension.

www.your_site.org/components/com_bad_component/vulnerable_file.php
www.your_site.org/modules/mod_bad_module/vulnerable_file.php

Directions for removing a vulnerable extension

1. Make a list of files to remove:
If you can locate it, read the extension's xml file to determine exactly which directories, files, and database tables were added to your system. The xml file is in the original zip archive used during the extension install process. For example, the zip archive for an extension called mod_vulnerable, would contain an xml file called, mod_vulnerable.xml, and might contain a list of files such as the following:

mod_vulnerable.php
mod_vulnerable/vulnerable_file.txt
mod_vulnerable/another_vulnerable_file.txt
mod_vulnerable/yet_another_vulnerable_file.txt
mod_vulnerable/index.html

2. Uninstall via the Joomla Installer:
Using the Installer in the Joomla! Administrator backend, uninstall the vulnerable extension. You may also need to uninstall related modules, components, or plugins.

3. Check that the uninstall process was complete:
Don't trust the extension to safely remove all of it's files. Compare directories and files on your system to the extension's xml list to ensure that all related files were actually removed.

4. Optionally, remove related database tables:
Check your database and remove any tables created by the extension. To ease the upgrade process to new versions, many uninstall scripts do not remove related database tables. You can find the list of tables in each extension's xml file. (If you plan to install a safer, compatible version of the same extension and you want to reuse existing data, you can usually leave the database tables as is.)

Last Updated Saturday, 07 July 2007

Tags: extension, module, plugin, remove

< Prev		Next >

[ Back ]

Help Site

Joomla! 1.5.x Documentation

Joomla! 1.0.x Documentation

FAQ Section

1.5 Template Project

Quicklinks

Who's Online

Help Site License