SSL Labs ScoreSecurityHeaders.io Score

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

× Welcome to the Kunena forum!

Tell us and our members who you are, what you like and why you became a member of this site.
We welcome all new members and hope to see you around a lot!

Suggestion for security

More
2 months 6 days ago #2384 by luX0r.reload
luX0r.reload created the topic: Suggestion for security
Hi,
if I view source of a page with your plugin activated and I search for "joomla" word I find two occurrences.
One for "joomla-script-options" css class and one for "joomla.jtext" js method.
This is not very good for site security cause malware bot searching for cms name string in the page so It can apply correct exploit to hack the site.

Could you change this class and method name please?

Thanks in advance.

Luca

Please Log in or Create an account to join the conversation.

More
2 months 5 days ago #2397 by michael
michael replied the topic: Suggestion for security
The class "joomla-script-options" is Core Joomla - If you rename or remove it, many front-end functions will no longer work. joomla.jtext is Core Joomla front-end translations. If you rename or remove it, any javascript that displays text will not display any text.

Both things you've pointed out are Core Joomla output. I use it in my extensions, but I didn't create it.

You might be interested in this article:
www.richeyweb.com/software/joomla/35-securing-joomla

Please Log in or Create an account to join the conversation.

More
2 months 4 days ago #2399 by luX0r.reload
luX0r.reload replied the topic: Suggestion for security
Thanks, I've already secured my site with your suggests and others.
Sound strange you suggest to disable showing joomla version for security reasons while your plugin write joomla strings in the code.
I know now these classes are from joomla core, but my question is:
it's possible doing same things in a different way to avoid to show these unsafe line in page source?
For me this is very critical and I hope sincerely you could find a way to fix this.

Many thanks

Luca

Please Log in or Create an account to join the conversation.

More
2 months 4 days ago #2404 by michael
michael replied the topic: Suggestion for security
My plugin does not write joomla strings in the output - Joomla does that. Any extension that uses JFactory::getDocument()->addScriptOptions() or JText::script() adds those strings - and many, many extensions do. Just using the Joomla login module adds a script option to enable the Joomla keepalive functionality.

There's nothing for me to fix, because it's in the Joomla core. It was discussed heavily at the time, and the decision was made to include those strings. It wasn't always this way - it happened sometime around Joomla 3.6.

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to add attachements.
  • Not Allowed: to edit your message.
Kunena Forum