• Analyzing Popular CMSs: Are Joomla Users at Risk?

    In this series of articles, we will be discussing issues relevant to popular Content Management Systems (CMS). These software packages make it relatively simple for web-administrators and lay people to host a website or an Internet forum and manage the content on it. Using a CMS, one can easily keep track of various versions of web-pages, allow visitors to contribute to the pages and host complex discussion forums too.

    CMS software packages have gained widespread popularity owing to the easy to use interface they provide to web-administrators. CMS packages can be easy to set up. Most web hosting companies already have CMS packages ready to be set up on their client’s account, all the clients need to do is click a button in their hosting control panel! Furthermore, maintaining web-pages using CMS software takes away the pain of keeping track of multiple versions, manually granting user permissions and other mundane issues.

    Joomla is prime example of popular CMS packages. With thousands of downloads and upwards of 7,000 followers on Twitter, this CMS package is extremely popular among web-administrators and content publishers. Joomla offers the flexibility to manage content easily, add attractive themes and customize web-pages to your hearts content. All this can be achieved without having any programming experience.

    In this series of posts, we will be looking at five popular CMSs. Joomla is the first one on which we will focus.

    The aim of the experiment:

    • To determine the number of Joomla sites using older versions of the CMS package (and hence vulnerable to attacks).
    • What associated scripts do Joomla users use in addition to core Joomla functionality?
    • What are the vulnerabilities of using the associated scripts?

    Experiment methodology:

    An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Joomla. Understandably, not all 100,000 websites would actually be using Joomla. Of these, approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Joomla. Each website was also cross-referenced with the Google Safe Browsing List. The experiment was completed between January 27th and January 29th, 2010.

    We present the most interesting results in brief:

    This limited experiment showed that there is a correlation between Joomla installations and vulnerabilities targeted by hackers to spread malware. It will be interesting to compare this trend with the trends of the CMS packages that we will analyze in the coming days. Nonetheless, it is heartening to see that none of the websites hosting Joomla 1.5 were actually listed on Google’s Safe Browsing List.

    Till next time.

    Below we present a sample of the websites using Joomla.

    123ror.no
    123-vle.com
    1-euro-gmbh.com
    1stoneonline.org
    22paths.com
    5-bhai.org
    989vip.com
    abc-webshop.com
    abqjournal.com
    absolutetraders.co.za
    absolutionists.com
    aerospacehorizons.com
    afocusonyourfuture.com
    akiraciai.com
    albania4arab.com
    alkatron.it
    allbdevents.com
    alphasoundstudios.com
    anesthesiacare.com
    angkasa.gov.my
    annmurphyflorists.com
    aominions.org
    ap2.joomlapraise.com
    apfmi.com
    arabicamusic.tv
    arawaktech.com
    aritcon.de
    atelier-rousseaufrederic.com
    autoadoption.com
    azbukapro.net
    babymar.net
    back2africa.nl
    balittro.litbang.deptan.go.id
    bassittenterprises.com
    bavdw.com
    beancounterz.org
    bebejour.com
    bellevuecollisioncare.com
    belmontstudenthousing.com
    bhpartners.net
    biblioteca.catie.ac.cr
    bic.moe.go.th
    big-sammys-hotdogs.com
    big-sammyshotdogs.com
    billhope.net
    brandartistlife.com
    brazilpedia.com
    brazzilinfo.com
    brokerlarry.com
    budgetsupplement.nl
    bulgarialettings.co.uk
    buttonwillowhq.com
    calaqueroleta.com
    cantyouhear.com
    carbonkiller.com
    caribbeancomputercompany.com
    caribenscoutgroup.org
    cartagocomercial.com
    ccauroraems.com
    cehcp.org
    cellularoptimization.com
    centralcoastlavenderfestival.com
    centrocnc.com
    centrometeosiciliano.com
    chaipat.or.th
    chechenews.com
    chezcesaria.com
    chuckdiehl.com
    classics.uc.edu
    clipcdc.com
    cmfm.net
    cobaltcamera.com
    co.douglas.ne.us
    colegioignacioaldama.com
    coltraining.org
    combilling.ru
    computerscm.com
    connorsphotography.net
    crezz.org
    crittersgallery.com
    cuibs.org
    cygnet-ecm.com
    cypcstore.com
    d22485318.a37.agcreativehosting.com
    dakofix.de
    dan-brown.org
    darklevel.org
    davidstanleytransport.com
    dcuweb.com
    deckboat.co.za
    delmarfishing.com
    demo.mosets.com
    denicarnahan.com
    detcompservices.com
    diabetic-health.info
    discospheric.com
    dmgmusicgroup.com
    docwithms.com
    dongvienthai.com
    dreamtive.com
    drnunemacher.com
    droidcon.de
    drsusiehill.com
    dsmdataservices.com
    dubmum.com
    dunklspace.com
    dwaynemorris.com
    ebay-is-out.com
    e-dynamics.net
    elaps-timing.com
    ellistyle.com
    email-synchronisation.com
    energyharvestpr.com
    esperantox.com
    eventklik.com
    evergreenrugby.com
    evropskemesto.cz
    famiri-lisse.com
    fishbowlpr.com
    flyingphoenixheavenlyhealingchikung.com
    fma.or.th
    focusonyourfuture.com
    freshoutsourcing.com
    freshwaterbolivar.com
    frittomisto.co.uk
    gattos.co.uk
    ghtex.com
    gibreview.com
    glenwinfield.com
    globalclear.org
    globalfreejob.com
    globalhudson.com
    globalstandards.com.au
    guneseviprojesi.com
    gvdiabetes.com
    hamroyatayat.com
    hcasaints.net
    health-only.com
    heliossrl.eu
    herenistarion.org
    herenya.com
    highereducationmanagement.eu
    hiregolfclubsdubai.com
    hostiopatiacancun.com
    hostmyreports.com
    host.nodesixvps.com
    htdquailguideservice.com
    huacatambo.com
    hypnosis-mp3.com
    iajgs.org
    ibeatradio.com
    ibexevents.com.au
    icoayouths.com
    idiverseme.com
    ihelpchurch.com
    infopascani.ro
    internal.mmi.co.id
    intimacyquestions.com
    ioc3.unesco.org
    ipeterborough.com
    ipitest.com
    issnaf.org
    iwebxpert.net
    jackogle.info
    jaguar.boxsecured.com
    jaildata.net
    jamskater.com
    jewelrywebstores.com
    jini.gr
    jinovc.com
    jmandgroup.com
    joomfish.org
    joomla2me.com
    jrosecatering.com
    juarezcustomhomes.com
    jyperkins.com
    kaarigar.net
    kedema.com
    khushab.org
    killtribe.com
    kycstudios.com
    lagartozero.com
    lapocioni.net
    lawyerarlington.com
    learn-web-hacking.com
    levietphuc.com
    lexprototus.com
    liquidcrystalsounds.com
    livingoceansfoundation.org
    llstoreuk.com
    loungebase.com
    lovekeke.com
    low-gi.info
    macmagicians.com
    mad-as-hell.org
    malandscape.net
    mambo.web-joy.de
    marksotelo.com
    mathewgagnon.net
    mekofa.dbbank.net
    mikestute.com
    mileagecorrectionservices.com
    mindyourbusiness.net
    mit.undip.ac.id
    mjkltd.net
    modavideolari.com
    mongoosepress.info
    montrealquebeclatino.com
    morgansisland.net
    motobuzz.co.cc
    mountainxtra.com
    mpninsider.com
    mthoodfun.com
    muddyjosh.com
    mylanka.org
    myperfectalgeria.com
    mywillinstructed.com
    nappydread-i.com
    naturwissenschaftler.de
    neidevserver.net
    newgrantinfo.com
    newsitebuilders.com
    number12secret.com
    obcian.com
    ocsopedia.com
    odw.biz
    oldbenzhome.com
    oldchevyshome.com
    oldcornersaloon.com
    oldfordshome.com
    oldminishome.com
    oldmoparshome.com
    oldrovershome.com
    oldtruckshome.com
    oldvwshome.com
    olympusmobile.net
    omnium-gatherum.net
    organics-recycling.org.uk
    organizeutah.com
    ost-au.com
    osteopatiacancun.com
    parrishwomble.com
    pasautorepair.com
    pcb-design.org
    pfoa-mc.org
    pfoa-ms.org
    pieceofcakekitchen.com
    pilsum.com
    platinum-cars-uk.com
    plot-shop-online.de
    poderesaude.com.br
    postcardsfromlasvegas.com
    prezemi.com
    primetarget.org
    primrosetelecom.co.uk
    profootballdraftinsider.com
    prohairsupplies.com
    projectnucleus.org
    protestthehero.eu
    purebreaddeli.com
    quadcitysquares.com
    rainbowextravaganza.com
    rapatsa.com
    rarenovaction.com
    rawinontario.com
    rechtsanwalt-online.eu
    remembertheyard.com
    roomatthecastle.com
    roylon.com
    rshm.gov.tr
    saletop.com
    salvitae.eu
    sandyrosenbaum.com
    sarah-kurtz.org
    scenicworld.co.uk
    scienceworksforus.org
    sdakinship.net
    seblod-dev.com
    seegchina.eu
    serenajohnson.org
    sharelancer.com
    silverstarmountain.ca
    silvertipgroup.com
    simplyaskus.com
    sindhhyd.com
    siparuntum.com
    siteground11.com
    sjubc.com
    sovereignty-empire.com
    spoorsweb.nl
    sportingconservation.org
    spravochnic.com
    stalyticsdemo.com
    stampsales.net
    stanleyvictor.com
    stefanomazza.net
    stmarkcentre.org.uk
    sunithi.freei.me
    superhorsetraining.com
    swimwithjenny.co.uk
    synopticcoders.co.uk
    sysexpo.com
    tamilcircle.net
    team4fun.eu
    testingforclient.com
    tfmandassociatesinc.com
    thebattleforliberty.com
    theeyesarethesame.com
    themandalfamily.com
    tibebat.com
    time4nascar.com
    tingtinghan.net
    tinocoysantamaria.com
    ti-wow.com
    town.williston.vt.us
    tpsacanada.com
    translationmanager.org
    trkconsulting.org
    tropicaleditions.com
    tuxpro.com
    tychoseye.nl
    un-instraw.org
    unitekk.com
    usaffiliates.net
    usroot.com
    vajira.ac.th
    ventaszonafranca.com
    vibranted.com
    virtualpbxcompare.info
    vividtuning.com
    waverleywoollahra.ses.nsw.gov.au
    websauce.org.au
    welldone-hannah.com
    westsidepawn.biz
    wetzlar-kurier.net
    wheninvisiblechildrensing.org
    whereyougot.com
    wilhelminaschool.eu
    windjammerlodge.com
    wolverine2812.com
    womenoftheucc.com
    ws1.njpac.org
    wtfchefs.us
    www3a.biotec.or.th
    xband.eu
    xenones.gr
    xpand-productions.com
    xperteaze.net
    yahyaayhanacar.com
    yarmouthnet.com
    yellow-advertising.com
    yourchoicetech.com
    youreasymemories.com
    zephyrfm.com
    zombiz.net
    
    • […] with this series of articles on CMS security, we have previously profiled Joomla and WordPress, this time we will be focusing on Drupal. Another, in a line of popular CMSs […]

      Posted by Analyzing Popular CMSs: Are Drupal Users at Risk? – StopTheHacker.com – Jaal, LLC. on February 3rd

    • […] with this series of articles on CMS security, we have previously profiled Joomla, WordPress and Drupal, this time we will be focusing on phpBB . I can already hear some CMS purists […]

      Posted by Analyzing Popular CMSs: Are phpBB Users at Risk? – StopTheHacker.com – Jaal, LLC. on February 4th

    • […] on CMS analysis, this time we will be focusing on vBulletin. We have previously profiled Joomla, WordPress, Drupal and […]

      Posted by Analyzing Popular CMSs: Are vBulletin Users at Risk? – stopthehacker.com – Jaal, LLC on February 9th