Now updated with changes made in Aug 2024 (Joomla 3.10.19-elts)
We all know Joomla 3 is now end of life, but how to fix Joomla 3 security issues still being found without going crazy? How to fix Joomla 3 security issues? Easily with mySites.guru one click tool!
This new tool, as part of the Ultimate Tools for Joomla in the mySites.guru service is hosted in the Site Snapshot.
The tool only runs on Joomla 3 versions – that is the last officially released public version of the Joomla 3 series – ignoring the commercial ELTs scam scheme.
The tool displays the number of files that we have determined are not yet patched and gives you the ability to one click fix that site by allowing us to patch the Joomla 3.10.12 files for you.
There are currently 50 files that need modifying since Joomla 3.10.12 was released, to make Joomla 3.10.12 as secure as possible, addressing all known security issues at this time.
Where can I find this tool to fix my Joomla 3 security issues?
You can use the Command Palette cmd k and search for find all, or you can view the tool in the Joomla Configuration section of the Snapshot on your Manage Joomla Site page in your mySites.guru account.
This will lead you to the site tool overview page that lists all your Joomla 3.10.12 websites and shows their patch status.
What are the known security issues this fixes?
Well, the ones that are known are quite minor really. There is nothing that is going to get your site hacked right away while you sleep, but there are some minor issues that you should resolve with the security patch in mySites.guru so that you can be sure that your Joomla 3 site is fully protected from all known security issues.
There are known issues with Cross Site Scripting in media selection fields and mail address output – an open redirect in installation (which should never be on a live site anyway!), an insufficient session expiration issue when saving MFA for users and an exposure of environment variables in a fringe edge case.
Specifically, which Joomla 3 security issues can mySites.guru fix?
- Fixes in Joomla 3.10.19-elts that fix the broken code released in the 3.10.18-elts release
- Fixes in Joomla 3.10.18-elts that fix the broken code released in the 3.10.17-elts release
- CVE-2024-27184 – [20240801] – Core – Inadequate validation of internal URLs
- CVE-2024-27185 – [20240802] – Core – Cache Poisoning in Pagination
- CVE-2024-40743 – [20240805] – Core – XSS vectors in Outputfilter::strip* methods
- CVE-2024-21731 – [20240703] – Core – XSS in StringHelper::truncate method
- CVE-2024-26279 – [20240704] – Core – XSS in Wrapper extensions
- CVE-2024-26278 – [20240705] – Core – XSS in com_fields default field value
- CVE-2024-21726 – Inadequate content filtering within the filter code
- CVE-2024-21724 – XSS in media selection fields.
- CVE-2024-21725 – XSS in mail address outputs
- CVE-2024-21723 – Open redirect in installation application.
- CVE-2024-21722 – Insufficient session expiration in MFA management views.
- CVE-2023-40626 – Exposure of environment variables.
The following is the list of files that the mySites.guru tool will modify for you:
- administrator/components/com_config/model/form/application.xml
- administrator/language/en-GB/en-GB.com_config.ini
- components/com_content/views/archive/view.html.php
- components/com_finder/views/search/view.html.php
- components/com_search/views/search/view.html.php
- libraries/src/Cache/Cache.php
- libraries/src/Pagination/Pagination.php
- administrator/components/com_banners/models/forms/banner.xml
- administrator/components/com_categories/models/forms/category.xml
- administrator/components/com_config/model/form/application.xml
- administrator/components/com_contact/config.xml
- administrator/components/com_contact/models/forms/contact.xml
- administrator/components/com_content/models/forms/article.xml
- administrator/components/com_fields/models/forms/field.xml
- administrator/components/com_menus/models/forms/item_alias.xml
- administrator/components/com_menus/models/forms/item_component.xml
- administrator/components/com_menus/models/forms/item_heading.xml
- administrator/components/com_menus/models/forms/item_separator.xml
- administrator/components/com_menus/models/forms/item_url.xml
- administrator/components/com_menus/models/forms/itemadmin_alias.xml
- administrator/components/com_menus/models/forms/itemadmin_component.xml
- administrator/components/com_menus/models/forms/itemadmin_container.xml
- administrator/components/com_menus/models/forms/itemadmin_heading.xml
- administrator/components/com_menus/models/forms/itemadmin_url.xml
- administrator/components/com_newsfeeds/models/forms/newsfeed.xml
- administrator/components/com_tags/models/forms/tag.xml
- administrator/components/com_users/models/user.php
- administrator/language/en-GB/en-GB.lib_joomla.ini
- administrator/templates/hathor/templateDetails.xml
- administrator/templates/isis/templateDetails.xml
- components/com_content/models/forms/article.xml
- components/com_tags/views/tag/tmpl/default.xml
- components/com_tags/views/tag/tmpl/list.xml
- components/com_tags/views/tags/tmpl/default.xml
- components/com_users/models/profile.php
- components/com_users/views/login/tmpl/default.xml
- components/com_wrapper/views/wrapper/tmpl/default.xml
- includes/framework.php
- libraries/cms/html/string.php
- libraries/fof/download/adapter/cacert.pem
- libraries/src/Form/Rule/UrlRule.php
- libraries/src/Http/Transport/cacert.pem
- libraries/src/Language/LanguageHelper.php
- libraries/src/Uri/Uri.php
- libraries/vendor/joomla/filter/src/InputFilter.php
- libraries/vendor/joomla/filter/src/OutputFilter.php
- libraries/src/Pagination/Pagination.php
- modules/mod_custom/mod_custom.xml
- modules/mod_wrapper/mod_wrapper.xml
- plugins/user/profile/profile.php
- templates/beez3/templateDetails.xml
- templates/protostar/templateDetails.xml
A lot of these files are XML files, which set new validations for the filters. Changing the XML files alone is not enough to secure your site, they work in conjunction with the changes in the PHP files.
What happens if I set this tool to not ok/red with the toggle?
We will revert the files to the Joomla 3.10.12 version of that file, reintroducing the security issue that was previously resolved by patching.
How can I fix my Joomla 3 security issues?
You can simply login to mySites.guru, click Manage Site next to your Joomla 3.10.12 site, and then on the Snapshot tab scroll down and look for
Fix All Known Joomla 3 End Of Life Security Issues
and then click the toggle next to it to patch your site with a single click
What if I have many Joomla 3.10.12 sites that need patching?
Simple, click the square button next to the toggle – it looks like this:
That button will lead you to a list of all your Joomla 3.10.12 websites where you can see an overview of their patch status, and more toggles to activate to patch your sites – simple!
How does mySites.guru fix Joomla 3 security issues?
The mySites.guru connector on your site knows about the status of your files, and when you toggle the tool in mySites.guru we will compare the md5 hash of your 36 files to the expected md5 hash of the secured patched versions.
If they differ then mySites.guru will attempt to replace the old files with the new patched version.
How will I know what the changes are?
The mySites.guru audit will so all patched files as Core File Changes in the main audit tools. This is because they ARE changes to the default Joomla 3.10.12 distributed versions.
Why are you talking about Joomla 3 when Joomla 4 and 5 are out?
There are still tens of thousands of sites still running Joomla 3.
1.4% of the internet still runs Joomla 3.x Joomla! CMS (All versions combined) powers 1.7% of all websites on the internet)
W3Tech.com
These all need protecting against new vulnerabilities found and as all Digital Agency dashboard owners know, moving customers across versions – with large incompatible upgrades – takes time, budgets and sometimes never happens.
The very latest Joomla Usage Statistics show that Joomla 3.10.x is being used over 35% of the time.
Conclusion
The new toggle switch in the mySites.guru service will allow you to apply all the known patches to all the known security issues in Joomla 3 at any given time
That way you can sleep sound in the secure knowledge that your end of life Joomla 3 sites are slightly more secure than Joomla 3.10.12
Of course, you should have already been planning or implementing your move to Joomla 4…. and onwards to Joomla 5 right? … you are doing that right? oh… never mind then …
Last updated on October 22nd, 2024