Why isn't un-publishing a vulnerable extension enough to protect your site?
From Joomla! Documentation
Revision as of 17:16, 11 October 2008 by Jabama
- Simply removing the menu links to an extension, or unpublishing a module is NOT enough to protect your site! As long as the extension's files exist on your server, you are vulnerable. Note how in the following examples an attacker can bypass the Joomla! index file to directly target any file, of any extension.
Directions for removing a vulnerable extension
1. Make a list of files to remove
- If you can locate it, read the extension's xml file to determine exactly which directories, files, and database tables were added to your system. The xml file is in the original zip archive used during the extension install process. For example, the zip archive for an extension called mod_vulnerable, would contain an xml file called, mod_vulnerable.xml, and might contain a list of files such as the following:
mod_vulnerable.php mod_vulnerable/vulnerable_file.txt mod_vulnerable/another_vulnerable_file.txt mod_vulnerable/yet_another_vulnerable_file.txt mod_vulnerable/index.html
2. Uninstall via the Joomla Installer:
- Using the Installer in the Joomla! Administrator backend, uninstall the vulnerable extension. You may also need to uninstall related modules, components, or plugins.
3. Check that the uninstall process was complete:
- Don't trust the extension to safely remove all of it's files. Compare directories and files on your system to the extension's xml list to ensure that all related files were actually removed.
4. Optionally, remove related database tables:
- Check your database and remove any tables created by the extension. To ease the upgrade process to new versions, many uninstall scripts do not remove related database tables. You can find the list of tables in each extension's xml file. (If you plan to install a safer, compatible version of the same extension and you want to reuse existing data, you can usually leave the database tables as is.)