Over 100 Bugs in a Row: Security Analysis of the Top-Rated Joomla Extensions

TL;DR

This paper analyzes the security vulnerabilities of popular Joomla extensions, revealing widespread XSS and SQLi issues, and discusses mitigation strategies to improve extension security to match that of the core CMS.

Contribution

It provides a comprehensive security analysis of top-rated Joomla extensions, highlighting prevalent vulnerabilities and proposing mitigation strategies to enhance extension security.

Findings

Nearly 50% of Joomla sites use top-10 extensions.

All analyzed top-10 extensions are vulnerable to XSS.

30% of these extensions are vulnerable to SQLi.

Abstract

Nearly every second website is using a Content Management System (CMS) such as WordPress, Drupal, and Joomla. These systems help to create and modify digital data, typically within a collaborative environment. One common feature is to enrich their functionality by using extensions. Popular extensions allow developers to easily include payment gateways, backup tools, and social media components. Due to the extended functionality, it is not surprising that such an expansion of complexity implies a bigger attack surface. In contrast to CMS core systems, extensions are usually not considered during public security audits. However, a Cross-Site Scripting (XSS) or SQL injection (SQLi) attack within an activated extension has the same effect on the security of a CMS as the same issue within the core itself. Therefore, vulnerabilities within extensions are a very attractive tool for malicious parties. We study the security of CMS extensions using the example Joomla; one of the most popular systems. We discovered that nearly every second installation of such a system also includes Joomla's official top-10 rated extensions as a per se requirement. Moreover, we have detected that every single extension of the official top-10 rated extensions is vulnerable to XSS and 30% of them against SQLi. We show that our findings are not only relevant to Joomla; two of the analyzed extensions are available within systems like WordPress or Drupal, and introduce the same vulnerabilities. Finally, we pinpoint mitigation strategies that can be realized within extensions to achieve the same security level as the core CMS.