Menu Content

Currencies Accepted


Shopping Cart

cart
Your Cart is currently empty.

How to Download A Product

For most of our products, including the free ones, you will need to go through checkout and place an order.

Read More

 

Find Us Elsewhere

Follow us on Twitter

Spiral Scripts on Facebook

rapidssl_ssl_certificate
2Checkout.com is a worldwide leader in payment services

Google ads

Home » Articles » Articles » Joomla Password Security

Joomla Password Security PDF Print E-mail
Articles - Articles
Written by Spiral Scripts   
Monday, 21 December 2009 12:17

Recent discussions in the Joomla! security forum have made it clear that a particular weak point of the Joomla security system is the front-end password reset function. If your site includes any extension that is vulnerable to a relatively common security problem - sql injection - then an attacker can potentially abuse the password reset function to change your administrator password. They can do this even if you do not display the login module in your front-end.

The problem is that vulnerability to sql injection is a fairly common problem, and is likely to remain so for the near future. It is the sort of mistake that even experienced programmers can occasionally let slip through.

So it is strongly advisable to take steps to guard your site against this. As a first step you should always check any extension against the list of vulnerable extensions before installing it. However that is never going to protect you completely, because obviously the list only includes those with known vulnerabilities.

Ideally you want to protect against unknown vulnerabilities as well. This is why we think it makes sense to be able to block the password reset function for administrative users, and it is why we have created our 'block password reset' system plugin. This is a non-commercial plugin (and will remain so), and is freely downloadable.

Unlike other approaches to this problem it does not require any hacks to the core Joomla! code. You just install it like any other plugin and select the users or groups for which you wish to block the password reset function through the plugin parameters. At the moment it is just designed to work with the Joomla! user component, but we plan to extend it to work with other registration systems as well, such as community builder, if there is a demand for it.

If you use this plugin you should be reasonably confident that you are not going to forget your admin password, because will make it impossible to use the password reset function. However if you do forget, and you have access to your site database then you will still be able to reset your password directly through your database admin. There is documentation available on the Joomla! site about how to do this.

 

 
 
 
 

VirtueMart Featured Products Grid

Switch View


This module displays a short excerpt from articles in a selected category or section, or from a specified list of articles, with link and optional thumbnail image.
Mod Featured Items Pro

£14.00



This module can be used as a replacement for the Virtuemart featured products, top products, random products or recent products modules. It displays product images as a 3 Dimensional Flash slideshow.
Mod VM Flash 3D Slideshow

£15.00



A featured items module that shows selected entries from the SOBI2 business index.
Featured Items SOBI

£12.00



A module extension for the the Joomla CMS. It plays a random list of mp3s using the Flash media player.
Mod Random MP3 Pro

£12.00