Recently an issue was reported to the Vulnerable Extensions List team, which affected the blogging platform for Joomla, Easy Blog. After some thought we decided that it did not fall within the normal definition of a security issue that would merit listing on the VEL. It was reported to us by a site owner whose site had been hit by an unusually sophisticated spam attack: the spammer was taking advantage of Easyblog and Joomla default settings, the result was that they were able to set themselves up multiple accounts as bloggers and create blog posts containing spammy links. In this case these links ended up getting indexed by Google, even though they would not show up to a normal visitor to the site.

There has a been a lot of talk recently about responsible disclosure issues especially with new developers and glory seekers. The VEL team have its own responsible disclosure code, namely that we wont list any Proof of concept or samples. we will only give the bare minimum.. All we ask is

Right now there’s no machine-readable output format of the vulnerable extensions list. This causes a lot of issues when someone tries to find out, if a specific extension is listed on the VEL or not, because he or she wants to do for example one of the following things:

  • develop a plugin that automatically sends an email to the site administrator when an installed extension gets listed

  • add a feature to the built-in installer to warn users when a listed extension should be installed

  • develop a tool for webhosts that allows them to specifically search for vulnerable Joomla installations on their servers

If a person follows these few simple rules the majority of site hacks will not happen.

1.) Use a decent hosting provider. Cheap is not necessarily bad, and expensive is not necessarily good. Do your research. Take a few minutes to search for and read comments and reviews left by other users.

2.) If you don't need it for your sites functionality then don't install it. If you do need it for your sites functionality, take a few minutes to search for and read comments and reviews left by other users of that software to make sure you're not getting more than you bargained for by installing the software.

jvel1Since May 2013 the VEL website has performed brilliantly as a much needed resource for the Joomla community at vel.joomla.org .

With Joomla 2.5 coming up to end of life in December and the vel team attempting to be the champions in keeping up to date, we are about to launch vel3.

After consultation, VEl3 will run the same RSformsPro script but will have some other changes.