Dean Marshall Consultancy Ltd

Freephone:     0800 756 6482
International: +44 1524 63492
Lancaster UK: (01524) 63492
Joomla!® Security and Support Experts

DMC Firewall Security Issue - version 1.3 and below

It was reported to us that the backed-up version of either the '.htaccess' or 'web.config' file was publicly reachable by going to 'yourdomain.com/backup.htaccess' or 'yourdomain.com/backup.web.config' - exposing any custom rules that you may have set.

When was the backup created?

The backup was created when you either installed or updated DMC Firewall when you had a '.htaccess' or 'web.config' file in the root of your web-space and our edits wen't already present in your server file. During the installation/update routines, DMC Firewall makes a number of edits to your server file but before these edits are made - a backup is made just in case something goes wrong.

Continue Reading

Hacked Or Not Public Beta

We are pleased to announce that 'Hacked Or Not', our online website security scanner, has moved into a public beta phase. This means that you are able to scan as many websites that you manage to identify whether they are 'Hacked Or Not'. We have placed it into a public beta stage to identify any issues that we haven't identified.

We are still actively working on 'Hacked Or Not' in readiness for an official release and we welcome your feedback.

At the moment you are able to scan as many websites (that you manage) as you like without any limitations being applied. Once Hacked Or Not has officially been released, certain limitations will apply - these will be listed on the Hacked Or Not website well in-advance.

Scan your website(s) for free at http://ismysite.hackedornot.com/

JCE Exploit Still Common Within Joomla Powered Sites

In 2011, a major security vulnerability was identified within the Joomla Content Editor (JCE) component which allowed files to be uploaded within any security checks being performed. This allowed any 'user' to browse to a specific location and upload any number of files - no matter what the file extension was. A patch was released on the 21st of February 2011 which fixed this issue but sadly, no one kept 'up-to-date' with extension developers/their updates and many didn't update.

In August 2011, this vulnerability was reported to Exploit DB (link here) which outlined the vulnerability and how to use it. This has affected thousands (if not hundreds of thousands) of websites over the years - causing loss of reputation and profits to many businesses.

This exploit has become so well known hackers have even created a 'bot' that scans Joomla! powered websites looking for the specific version of JCE.

Read more: JCE Exploit Still Common Within Joomla Powered Sites

Joomla 'com_contact' spammy emails fix

Spam, we all hate it - especially when our contact form is meant to block the spammy fake contacts. Recently a number of our websites were hit with a huge amount of spam, even when we had entered some 'keywords' into the 'banned text' field within the Joomla 'com_contact' component. The spam emails just kept coming and coming. It was then that we decided something was wrong and went looking at what was wrong and how to fix it.

After doing a bit of research we found that a bug report had been submitted back in April 2012 by Klaus Baldermann, posting the issue and a fix to the contact component within Joomla 2.5 (and now Joomla 3.0). It then took 6 months before a patch was submitted by Elin Waring which contained the updated and working PHP files. From what we can gather the patch was accepted sometime before the 10th of November which applied to Joomla 3.0 only. That's all good and well until we downloaded fresh copies of both Joomla 2.5 and Joomla 3.0 to find that the patch had been reverted prior to Joomla 2.5.8 and Joomla 3.0.2. Within the bug tracker there is no mention as to why the patch had been reverted.

Below we will tell you what files and the lines of code that you will need to edit in order to fix the 'com_contact' component - at least until the Joomla developers release a patch and keep it within Joomla.

There are three files that need to be edited to fix the contact form component which are as follows:

  1. contactemail.php
  2. contactemailmessage.php
  3. contactemailsubject.php

Read more: Joomla 'com_contact' spammy emails fix

Has Your Joomla Website Been Hacked And How To Tell

If your Joomla powered website has been hacked and you need it de-hacking - please read about our Joomla de-hacking services.

Has your website been hacked?

How can you tell?

Some webmasters / site owners only find out their website had been hacked, when potential customers do a Google search and find notices about their website saying: 'This site may be compromised' or 'This website may harm your computer'.

Most webmasters / site owners notice their listings in Google have words in them that don't belong on their site, i.e Viagra, Casino, Payday Loan, etc. This is the clearist visual aid that you've been hacked.

Website Hacked? - What To Check For:

Hackers are always getting smarter about the way they hack/deface websites and your website could have been hacked for months without you even noticing. The most common hacks that we are seeing today only effect Search Engines such as Google, Bing, Yahoo etc. When these Search Engines visit your website they will see 'spammy links, words' such as 'Buy Viagra Online, prescription, Adobe, casinos, realtytrac, torrent'. A full list of the commonly used terms can be found at the bottom of this article.

Read more: Has Your Joomla Website Been Hacked And How To Tell

Mosets Tree Administrator Menu Item Hidden

We recently had a client who came to us wanting a Joomla migration from Joomla 1.5 to Joomla 2.5. Things were going smoothly (after a number of failed attempts using jUpgrade) until we installed Mosets Tree. The installation process was a success but the 'Mosets Tree' menu item didn't display within the 'Components' menu. We started looking within PHPMyAdmin, comparing components that we could see within the 'components' menu but with no avail.

We could still browse to 'http://www.website-domain.co.uk/administrator/index.php?option=com_mtree' and the Mosets Tree component would load successfully.

Read more: Mosets Tree Administrator Menu Item Hidden

Does the EU Cookie Law affect me?

If you own or run a website and based within the EU then the answer is yes. The EU Cookie Law, as it is generally being referred, came into affect one year ago on the 26th of May 2011. Due to complexities around the technological issues at that time they gracefully gave a one year deferment where they would not prosecute any company that didn't comply with the law. That year is now up, and all websites are expected to be compliant or moving towards compliance.

A clear understanding of users’ levels of awareness of what cookies are, what they are used for and how they can be managed, is fundamental to any consideration of the level of detail that needs to be provided about cookies, and the way in which the requirement to obtain consent can be satisfied.

A number of websites are already making changes and implementing procedures to make their customers more aware of what cookies are and how cookies are used within their website.

Websites that have already made changes include:

Read more: Does the EU Cookie Law affect me?

YOOtheme, Joomla 1.5 and IE7

On the 21st of May YOOtheme announced that they will not be supporting Joomla 1.5 and Internet Explorer 7. This means that they will not be producing templates for Joomla 1.5. Joomla 1.5 originally had an end of live period of April 2012 but due to popular demand the Joomla developers decided to increase the Joomla 1.5 CMS to September 2012.

YOOtheme said that June's template will be the last ever template that will both support the Joomla 1.5 CMS and Internet Explorer 7.

A snippet from YOOtheme's blog:

Read more: YOOtheme, Joomla 1.5 and IE7

Joomla 2.5 Page Title Wrong in Single Article View

We hit an interesting little snag the other week while using Joomla 2.5 - let me say from the off that we've followed Joomla 2.5 development closely and was even involved within the Beta testing. We haven't had many clients come to us who had already made the decision to utilise it and we've only had one client site so far where the decision was made to build on 2.5 from the off.

Let me also add that it doesn't matter how much you toe dip with a CMS, it is only when you are in the nitty gritty of building out a whole site from scratch that you hit the real gotchas.

I also think that browser changes over the last year or so are part of the reason we haven't picked up on this sooner. Firefox, Chrome and IE now routinely hide the 'Title bar' which used to show the title of the currently displayed web page. Now you have to deliberately go looking for the page title and it takes an extra click or three.

Lee, one of the team in the office, spotted that we had the wrong title within a site we are currently building out. Questioning whether we had misconfigured something or whether the template in use on the site had an error within a template override so we quickly checked another recent Joomla 2.5 site - one that is all but finished but not actually launched yet.

Read more: Joomla 2.5 Page Title Wrong in Single Article View

Joomla 2.5 Released 24th January 2012

January 2012 sparked the new beginning of Joomla with the immeadiate release of the Joomla! 2.5 CMS.

With the release of Joomla! 2.5 brings plenty of new features and fixes that have been implemented throughout the development process.

In total:

  • 26 new features added
  • 4 security issues fixed
  • 356 tracker issues fixed

For the pre-release list of features click here!

For a full list of features and fixes click here!

What about my Joomla 1.7 website?

Read more: Joomla 2.5 Released 24th January 2012