The Joomla Project recently released a security advisory regarding the PHP Mailer library. Please read the announcement for further details. Some extensions also include their own versions of vulnerable library, and developers of the relevant extensions are urged to release updates as soon as possible.

The VEL will be maintaining a list of extensions affected by the issue. Users of the affected extensions are strongly advised to update. To be clear, inclusion on the list simply means that the extension includes the vulnerable library, not that an exploit exists, you should contact the developer if you have any questions.

refuse money image

We are seeing an increasing number of forum posts stating that a site maintainer has had their or their clients sites hacked and they are unable to update from joomla 1.5 due to either custom designed components or not having a budget to do their upgrade.
Leaving aside the dangers of custom component design, not

Using a quick start package may be the quickest way to get a fully set up , add your content site. but are you aware of the dangers.
we tested several quick starts from major providers ranging from Template developers and extension developers who include a ready to go version of Joomla.
We found that there were varying degrees of insecurities. None of these packages are plug/play/forget.

The most common issue and vulnerability was the use of out of date version of Joomla. When (at the time of writing) Joomla is 3.5.1 we found the worst case was 3.3.1 with several security vulnerabilities. Possibly the worst one was an extension developer charging for a download that included 2.5.29

The Vulnerable Extensions List team is looking for new members.

Those interested:
Must have:

A proven record of assisting the Joomla community.
Converse confidently in English.
Be able to test POC where applicable.

This volunteer role requires only a little commitment but does require a lot of discretion as you may be dealing with exploits that will affect the joomla community as a whole.

If you have not applied to us before; please complete the linked application form.



 

This is not always due to a hack, mostly, it is a site administrators failure.

I have had a spate of new Users appearing in my User Manager.
I am the only authorised user on my sites (Super User) - so how do these idiot spammers get in; and how to block them in future?

 I've received email messages from my website,  telling me that a new user has registered.

1. There is no user registration form on the website
2. These appear to be hacks

The symptom checklist is as follows: