Can you trust your joomla extensions?
Sadly in the last 6 months there have been two published circumstances where an extension provider has been hacked and malicious code inserted into the extensions that they offer.
This meant that as soon as you installed the extension your site was vulnerable to defacement etc.
If there have been two published cases perhaps there have been more that we don't know about.
So is there anything we can do to prevent this?
Both extensions were from well respected providers
Some extension providers publish the md5sums of their downloadable files. This is a unique number calculated from the size of the zip file and you can use an md5sum checker on your computer to check that the published md5sum matches the one that you downloaded.
If the extension provider does not publish the md5sum then ask them do it.
Now of course I can hear some of you saying that if a hacker can alter the download file then they can probably alter the published md5sum as well, and that's true.
So what is the solution?
If the md5sum is published on another trusted web site then we all can be much more confident that the published md5sum has not been altered and that if the published number and the one you calculate on your own pc match then the extension has not been "altered".
The obvious location to store and publish this md5sum would be on the Joomla Extension Directory (JED) as another field in the extension record.
Not too hard
Creating a new field for the md5sum and asking/expecting extension developers to publish the md5sum and keep it upto date is an easy option but it still requires the user to calculate an md5sum locally and compare the results.
A better way for Joomla 1.6?
Expanding on the idea of publishing md5sums on the JED we can go a step further and take the hard work away from the user by pushing the task of the md5sum check to the job of the Joomla installation manager.
Currently the joomla installation manager
- uploads the archived extension
- uncompresses the extension in a temporary directory
- installs the extension
The idea presented below would be a relatively large task with Joomla 1.5 but as almost every extension will need to be rewritten (even if only a little bit) for Joomla 1.6 now is the ideal time.
I propose that every joomla extension receives a unique id and this is used in the zip file e.g. 12345-com_newspaper.zip, 74536-mod_arrival.zip
So now the joomla installation manager does the following
- uploads the archived extension
- produces an md5sum of the uploaded file and compares that with the published md5sum for that extension
- if it matches then the extension is uncompressed to a temporary directory and the extension is installed
- if it does not match the user is informed and the uploaded file is removed from the web server
[UPDATED: it would perhaps be better to offer the user a warning that the extension could not be verified and leaving the option to install up to the user instead of just refusing to install. That way extensions that are not listed on JED for various known reasons or are private extensions can still use the installer.]
Does all this really matter?
My site wasn't hacked and I've now removed the exploited extension and replaced it with a safe version so is all of this really necessary. Absolutely yes!!! Firstly you may have been lucky or the exploit was relatively benign but it could have emailed the details of your configuration.php with its mysql and ftp passwords to a malicious hacker and they have just been too busy to get to your site yet. Or they could have used the exploit to place another malicious file in a completely unrelated directory ready to exploit tomorrow.
The procedures and methods I describe to improve the safety and security of the joomla extension installation process (boy that was some long words) is relatively easy to achieve it just needs some people with the will and skill to write the patch to the installation manager, add the extra fields to the JED and to promote its use to the third party developer community.
As a side benefit this will force extension providers to keep their JED entries up to date with the latest releases.