Removing Vulnerable Joomla Extensions
This tutorial will will explain the importance of removing vulnerable Joomla extensions
It is very important to completely remove vulnerable extensions, simply removing the menu links to an extension, or removing a module is NOT enough to protect your site! As long as the extension’s files exist on your server, you are vulnerable.
To view our Joomla demo site with a custom template installed, please click on the thumbnail to the right. The site also includes other customizations made by our development team including Simple Image Gallery, which is a great way to show off images and create photo galleries withing page content.
Note how in the following examples an attacker can bypass the Joomla! index file to directly target any file, of any extension.
www.your_site.org/components/com_bad_component/vulnerable_file.php
www.your_site.org/modules/mod_bad_module/vulnerable_file.php
Directions for removing a vulnerable extension
1. Make a list of files to remove:
If you can locate it, read the extension’s xml file to determine exactly which directories, files, and database tables were added to your system. The xml file is in the original zip archive used during the extension install process. For example, the zip archive for an extension called mod_vulnerable, would contain an xml file called, mod_vulnerable.xml, and might contain a list of files such as the following:
mod_vulnerable.php
mod_vulnerable/vulnerable_file.txt
mod_vulnerable/another_vulnerable_file.txt
mod_vulnerable/yet_another_vulnerable_file.txt
mod_vulnerable/index.html
2. Uninstall via the Joomla Installer:
Using the Installer in the Joomla! Administrator backend, uninstall the vulnerable extension. You may also need to uninstall related modules, components, or plugins.
3. Check that the uninstall process was complete:
Don’t trust the extension to safely remove all of it’s files. Compare directories and files on your system to the extension’s xml list to ensure that all related files were actually removed.
4. Optionally, remove related database tables:
Check your database and remove any tables created by the extension. To ease the upgrade process to new versions, many uninstall scripts do not remove related database tables. You can find the list of tables in each extension’s xml file. (If you plan to install a safer, compatible version of the same extension and you want to reuse existing data, you can usually leave the database tables as is.)
Joomla! is the perfect Content Management System for managing and developing your website with one of AUSWEB’s cPanel Hosting plans.
