Engaging with the open source community continues to be an extremely rewarding experience. I have used the open source Joomla and WordPress content management systems to run a small web development business and the A-Z Directory module for Joomla is my contribution back to the community.
Over the past 2 weeks, I have had the privilege to work with Roman Zipaj and the team at the Natural Resources Institute, University of Greenwich on a security-related matter with the module.
Roman graciously informed me of a security vulnerability and was an outstanding liaison between me and the security engineers at the NRI. We worked closely together sharing information and penetration testing results until the vulnerability was fixed. Version 5.3.5 contains that fix, so please update the module as soon as possible.
I learned a lot from this experience. I have to strike a balance between divulging specifics that would allow one to exploit the vulnerability and passing along lessons learned. So, a couple of points:
- If you are using Joomla or WordPress, use their secure coding guidelines found here and here, respectively. These guidelines have been tried and tested, and as vulnerabilities are discovered, the functions will be updated and your code will automatically benefit. I am using Joomla’s secure coding guidelines. I mention this only because fixing the vulnerability was made easier and faster because I adhered to these guidelines and did not have to rewrite significant amounts of code.
- When accepting user input, use the most restrictive input filtering for your use case. For example, in Joomla, you can apply a String filter, but if you know the input should not contain special characters or numbers, consider using the Word filter, as it is more restrictive.