Recently the vel team became aware of a mass of reports concerning dozens of joomla extensions being vulnerable.
All these reports were by the same person, who had not taken due care nor had they made a responsible disclosure to the vel team or to the developers.
It transpires that this "hacker/skript kiddie" was systematically going through the joomla extensions and running a probe on each demo site, testing for SQL injection vulnerabilities. We are unsure of the tool used, there are numerous, however what became apparent was that the nearly all reports were tested on the demo page of the developers site.
The VEL carefully checked these reports. We will never list an extension purely on the basis of an unsubstantiated report on an exploit site, they are notoriously inaccurate, we always take care to check whether it can be substantiated. We found that some were valid, but a significant number were mistaken. Some appeared to be due to issues with the demo site itself, such as an outdated PHP version, and nothing at all to do with any sqli. In others, while there was a vulnerability, it was clearly in a different extension from the one being reported. In some cases we found no evidence of a vulnerability at all, and no basis for the report.
In all cases it was clear that the reporter had taken no steps to inform the developer, and had simply posted the results on an exploit site.
What it does tell us is that
- Using a vulnerability scanner can be deceptive and you can not always trust the results;
- You must thoroughly know your test bed testing or you may get inaccurate results;
- Dont cry wolf, you will get more respect if you report at the right time, in the right place, and accurately.
If you discover a security issue in joomla core, visit https://developer.joomla.org/security-centre.html
If you discover a security issue with an extension, visit https://vel.joomla.org/submit-vel and also inform the developer.