Secure Joomla Extensions

It's no secret that most compromised Joomla sites are exploited through third party extensions. While there are core Joomla exploits too they are much fewer than the endless risks imposed from third party extensions.

In order Joomla extensions to be secure the following important aspects have to be observed:

The first and foremost important statement in any Joomla extension php file is making sure that the file is not accessed directly:
defined('_JEXEC') or die( 'Restricted access' );
The next important statement is making sure the visitor has the necessary privileges to access it. This is especially important when the extension is in the administrator panel. The simplest way to check if the user is authorized to open a sensitive file is:

$user = & JFactory::getUser();
if (!$user->authorize( 'com_users', 'manage' )) {
$mainframe->redirect( 'index.php', JText::_('ALERTNOTAUTH') );
}
If the user is authorized to manage the users then he should be allowed to do anything.
Next your code follows. The general rule is to follow the best practices of Joomla native Model View Controller concept. This ensures that your code will be tidier, easier to maintain and secure.

The essential part in writing a secure Joomla extension is using native Joomla classes and avoiding using your own code for the basic operations such as executing MySQL queries, including files and others. That's why make sure to be acquainted with all the Joomla Framework classes

http://docs.joomla.org/Framework

When studying the native Joomla classes pay special attention to JFilterInput and JFilterOutput. Their methods should be used regularly for filtering user input and output to avoid anything from MySQL injections to XSS flaws.

Finally, always take into consideration that Joomla runs on different environments and what is secure on yours might not be on others. Ensure that RG_emulation, register_globals or even allow_url_include will not allow anyone to tamper with your variables. If you cannot ensure it at least make sure to warn users about potential problems.

The above short secure Joomla extensions guidilines should give you an idea on how to write more secure Joomla extensions.

blog comments powered by Disqus