Beware the Images Folder in Joomla

The images directory is considered to be a harmless directory – after all, what can it contain other than images and other downloadable content? In our experience, the images directory is not as innocent as it seems, in fact, it is, in our opinion, one of the most dangerous directories that can wreak havoc on your website. And no, we’re not crazy (yet). Let us explain…

The media manager in Joomla usually allows the administrator to upload image files (as well as other harmless files) to the images directory. The media manager does not allow the upload of potentially harmful file types, such as PHP scripts. However, hackers have discovered many loopholes in Joomla 1.5.26 and less to allow them to upload PHP files to the images directory. The images folder has become the hackers’ favorite directory to store their (malicious) PHP files (such files are sometimes called index.php, joomla.php, main.php, script.php, etc…)

You might think that uploading a PHP file is not that harmful, but a PHP file can do the following when run from a browser:

  • Delete files (that Apache has permissions on) or nuke whole directories.
  • Change permissions on files directly owned or group owned by Apache.

  • Alter files and inject some malicious code into them.

  • Send spam. (in other words, your website will be a launchpad for spamming).

  • Spy on your website and on your visitors.

  • The list is endless.

So, what can someone do to ensure that the images directory does not pose a threat to his website?

There are several ways that are used to address this problem:

  • Using an .htaccess whitelist: An .htaccess whitelist consists of specifying which filetypes can be uploaded to the website in the .htaccess file. It can be done by adding the following code to the .htaccess file:

    <FilesMatch "\.(jpeg|pdf)$">
    Allow from all

    The above code means that only files that have a jpeg or a pdf extension are allowed to be uploaded to the website.

  • Using an .htaccess blacklist: An .htaccess blacklist consists of specifying which filetypes are not allowed to be uploaded to the website (it is the inverse of a whiltelist). Any filetype that exists in the blacklist will be rejected for upload. An example of an .htaccess blacklist is the following:

    <FilesMatch "\.(asp|php|php5|pl)$">
    Deny from all

    The above code means that files that have an asp, a php, a php5, or a pl (pl is Perl, for those who are curious) are not allowed to be uploaded.

  • Create a cron job that will automatically delete scripts from the images directory: In this situation, you’re accepting the fact that your website is vulnerable and you’re reacting to it. We have to admit though that we have seen this implemented successfully but in conjunction with other techniques.

So, which method should the Joomla administrator go with? We think that whitelisting filetypes in the .htaccess file is the best method, and this is because you will have full control over which file types will be uploaded to your server. If you go with a blacklist, you might miss some potentially harmful filetypes. The cron job technique is not that great because you’re really responding to the attacks – as opposed to protecting your website against them.

Now, before you go ahead and add that whitelisting code and assume that everything’s going to be OK from now on, keep in mind that if your website has loopholes elsewhere, then a hacker can simply modify your .htaccess file and easily remove the whitelisting code.

So, here’s what you should do:

  • chown and chgrp all your files to root/root.
  • chmod all your files recursively to 444.

  • chmod all your directories recursively to 755.

  • Allow Apache to write to the following directories: cache, images, logs, and tmp.

We have described these steps here.

After doing the above steps, then you should go with the whitelist technique. Once you do that, the security on your website will be literally hacker proof!

If you have security issues on your website and you need them addressed, then please contact us. We are experts in Joomla and Joomla’s security, we are eager to help, and our fees are very affordable!

One Response to “Beware the Images Folder in Joomla”
  1. Pingback by Why suPHP Is Insecure for a Joomla Website | itoctopus — November 29, 2012 @ 2:42 pm

    […] advantage of this exploit and uploads the file writetoindex.php to the images folder (which is the folder du choix for hackers). The writetoindex.php file simply writes some malicious code to your index.php […]

Leave a comment