Over 100 Bugs in a Row: Security Analysis of the Top-Rated Joomla Extensions

Nearly every second website is using a Content Management System (CMS) such as WordPress, Drupal, and Joomla. These systems help to create and modify digital data, typically within a collaborative environment. One common feature is to enrich their functionality by using extensions. Popular extensions allow developers to easily include payment gateways, backup tools, and social media components. Due to the extended functionality, it is not surprising that such an expansion of complexity implies a bigger attack surface. In contrast to CMS core systems, extensions are usually not considered during public security audits. However, a Cross-Site Scripting (XSS) or SQL injection (SQLi) attack within an activated extension has the same effect on the security of a CMS as the same issue within the core itself. Therefore, vulnerabilities within extensions are a very attractive tool for malicious parties. We study the security of CMS extensions using the example Joomla; one of the most popular systems. We discovered that nearly every second installation of such a system also includes Joomla's official top-10 rated extensions as a per se requirement. Moreover, we have detected that every single extension of the official top-10 rated extensions is vulnerable to XSS and 30% of them against SQLi. We show that our findings are not only relevant to Joomla; two of the analyzed extensions are available within systems like WordPress or Drupal, and introduce the same vulnerabilities. Finally, we pinpoint mitigation strategies that can be realized within extensions to achieve the same security level as the core CMS.