Spend any time on the joomla forums and you will see "help my web site has been hacked".
The first response is always the same "please read the security checklist"
In numerous places you will see
"Use proper permissions on files and directories. They should be should never be 777"
But with JomSocial the reverse is true!
I'm not going to go into the danger of 777 as Nicholas K. Dionysopoulos, of akeeba backup fame wrote an excellent in-depth article on this the other day entitled 777 the number of the beast
I've written before how seeing chmod 777 makes my blood boil and in fact only yesterday I found another new extension on the Joomla Extension Directory that quietly creates folders and files on your site with 777 permissions.
But as the title of this article suggests this week I found something far more serious with the newly released GPL edition of JomSocial. (Note I don't have access to the older proprietary versions of JomSocial to check but I suspect the same is true. However I have checked the JomSocial forum and on numerous occasions the JomSocial Support Team have advised users to chmod 777)
JomSocial Configuration screen
Here you can see one of two configuration options for JomSocial labeled "Enable all (CHMOD777)".
So now we have one of the most high profile extensions for joomla, one that has even been chosen by the joomla project itself for http://people.joomla.org/ actually offering to open the doors to your website ready to be hacked.
- There is no warning about the dangers of doing this.
- There is no explanation of the meaning of chmod 777.
- There is no recommendation to use the "System default" setting.
You cannot be serious
How can we, as the joomla community, spend time lecturing users that it's their own fault that they were hacked because they had setup their site to use insecure 777 permissions and at the same time recommend an extension that offers this?
In the creation of the new Joomla Community Magazine a decision was made to use the K2 but this couldn't be used until senior project members had reviewed it for security, surely the same was true when JomSocial was chosen for the people web site.
When I first saw this chmod777 option in JomSocial I was suprised but the more I think about the angrier I get.
This isn't a small obscure extension from a newbie developer that just doesn't know any better. JomSocial is developed by one of the most respected extension developers in the JoomlaSphere and further endorsed by Joomla's own use of the extension.
How can we as a community tell users never to chmod 777 when an "endorsed" extension will happily do it for you?
How can we expect users to understand the real dangers of chmod 777?
I can imagine the conversation now.
Help my site has been hacked.
Did you have any files or folders set to 777?
Yeah. I must have JomSocial said I needed it to give everyone access to uploading videos and images.
Well that's why you've been hacked. You should never 777!!
Oh great so Joomla says one thing and does another. Thanks guys - I thought this was a serious piece of software obviously not.
What should be done about extensions with chmod777?
Any Joomla extension that has known vulnerabilities such as LFI or XSS is listed on the Vulnerable Extension List.
Shouldn't an extension that either secretly or as an option creates files and folders with 777 be listed as well.
How else can we as the Joomla community educate extension developers and users alike that 777 is not an option.
NOTE any extension listed on the VEL is removed from the JED until the vulnerability has been fixed.
I did contact the VEL team and received this reply:
In a perfect world, they wouldn't need that at all. It's a nice option to include, in my opinion - if only to assist users in otherwise insecure setups to begin with.
I mean, it's not something that should be on BY DEFAULT, of course - but allowing the user to make that decision isn't a bad thing. As long as the issue is clearly addressed in the UI as something that is ONLY necessary on poorly configured servers (or otherwise have reason to not run PHP as the same user that owns the files).
I take no offence to Azrul for having the option. It makes sense from their perspective to cater to their clients' needs as it would reflect poorly on their software if it didn't "just work" on as many setups as possible.
Sorry but that just isn't acceptable to me and actually fails basic logic.
Joomla itself requires certain folders and files to be writable in the same circumstances but it doesnt offer a 777 option even if it would reduce initial support queries and compensate for poorly configured servers.
Why not - because it's a stupid thing to do.
If it's wrong for Joomla to do this then it is wrong for Joomla to allow the listing of extensions that do the same.
You should never CHMOD any files or directories to 777
Chris Adams Founder and CEO of Rochen
We've all seen the bad publicity that Joomla gets when a site gets hacked through a poorly written extension. Users and potential users do not readily see the difference between Joomla and an extension - they just see "vulnerability" and "hacked".
Come on Joomla! it's time to act to prevent the spread of insecure extensions like this. They are not good for the user and they are not good for Joomla's reputation.
UPDATE
Before publication I did of course contact the Joomla Vulnerable Extension (VEL team for comment see above and Azrul. After an exchange of emails with Azrul before the publication of this blog post a new version of JomSocial has been released which according to the changelog
BUG: 4354 Media permission settings are removed and will now use 755 permissions by default
However that doesn't address the fact that this is a security issue with previous releases nor provide a means for users to correct their now insecure web site.
A newsletter has been scheduled. Those who use those options, mostly people who process their images and videos through external server binaries, will need to reconfigure their server to allow those binaries to run using the same apache privilege. This configuration varies from server to server and they will need their server administrator to set it up and we will advice on per-server basis.
Azrul Rahim
Executive Director/Lead Developer
Slashes & Dots Sdn Bhd
Personally I don't agree that those are the only users who will have chmod 777 their files and directories. If you didn't know better wouldn't you have assumed that "enable all" was the correct thing to do
I just hope that existing users really appreciate that this is not a bug but a serious security issue and that the new version of JomSocial does not fix the previous issue but prevents new users from the same issue.
[UPDATE 13 July 23:47]
- No sign of any notification of the new release from JomSocial to its users
- Having looked closer at the code in version 1.8.3 it now appears that the setting for "system default" is not the "system default" on your server but is hard coded to be 755. Not insecure but not the same thing as saying system default.