mySites.guru

How To Fix All Joomla 3 Security Issues With A Single Click

We all know Joomla 3 is now end of life, but how to fix Joomla 3 security issues still being found without going crazy?

This article was written in Feb 2024, and at the time of writing all facts and figures were correct.

Introducing the mySites.guru One Click Fix All Joomla 3 Security Issues Tool!

This new tool, as part of the Ultimate Tools for Joomla in the mySites.guru service is hosted in the Site Snapshot.

The tool only runs on Joomla 3.10.12 version – that is the last officially released public version of the Joomla 3 series – ignoring the commercial ELTs scam scheme.

The tool displays the number of files that we have determined are not yet patched and gives you the ability to one click fix that site by allowing us to patch the Joomla 3.10.12 files for you.

There are currently 36 files that need modifying since Joomla 3.10.12 was released, to make Joomla 3.10.12 as secure as possible, addressing all known security issues at this time.

Where can I find this tool to fix my Joomla 3 security issues?

You can use the Command Palette cmd k and search for find all, or you can view the tool in the Joomla Configuration section of the Snapshot on your Manage Joomla Site page in your mySites.guru account.

Command palette search for "Fix All Known Joomla 3 End Of Life Security Issues"

This will lead you to the site tool overview page that lists all your Joomla 3.10.12 websites and shows their patch status.

Fix All Known Joomla 3 End Of Life Security Issues overview screen

What are the known security issues this fixes?

Well, the ones that are known are quite minor really. There is nothing that is going to get your site hacked right away while you sleep, but there are some minor issues that you should resolve with the security patch in mySites.guru so that you can be sure that your Joomla 3 site is fully protected from all known security issues.

There are known issues with Cross Site Scripting in media selection fields and mail address output – an open redirect in installation (which should never be on a live site anyway!), an insufficient session expiration issue when saving MFA for users and an exposure of environment variables in a fringe edge case.

Specifically, which Joomla 3 security issues can mySites.guru fix?

The following is the list of files that the mySites.guru tool will modify for you:

  • administrator/components/com_config/model/form/application.xml
  • administrator/components/com_categories/models/forms/category.xml
  • administrator/components/com_banners/models/forms/banner.xml
  • administrator/components/com_newsfeeds/models/forms/newsfeed.xml
  • administrator/components/com_content/models/forms/article.xml
  • administrator/components/com_contact/models/forms/contact.xml
  • administrator/components/com_contact/config.xml
  • administrator/components/com_tags/models/forms/tag.xml
  • administrator/components/com_menus/models/forms/item_separator.xml
  • administrator/components/com_menus/models/forms/item_heading.xml
  • administrator/components/com_menus/models/forms/itemadmin_component.xml
  • administrator/components/com_menus/models/forms/item_alias.xml
  • administrator/components/com_menus/models/forms/itemadmin_heading.xml
  • administrator/components/com_menus/models/forms/item_component.xml
  • administrator/components/com_menus/models/forms/itemadmin_alias.xml
  • administrator/components/com_menus/models/forms/item_url.xml
  • administrator/components/com_menus/models/forms/itemadmin_container.xml
  • administrator/components/com_menus/models/forms/itemadmin_url.xml
  • administrator/components/com_users/models/user.php
  • administrator/templates/hathor/templateDetails.xml
  • administrator/templates/isis/templateDetails.xml
  • components/com_content/models/forms/article.xml
  • components/com_tags/views/tags/tmpl/default.xml
  • components/com_tags/views/tag/tmpl/list.xml
  • components/com_tags/views/tag/tmpl/default.xml
  • components/com_users/models/profile.php
  • components/com_users/views/login/tmpl/default.xml
  • includes/framework.php
  • libraries/vendor/joomla/filter/src/InputFilter.php
  • libraries/src/Form/Rule/UrlRule.php
  • libraries/src/Language/LanguageHelper.php
  • modules/mod_custom/mod_custom.xml
  • plugins/user/profile/profile.php
  • templates/protostar/templateDetails.xml
  • templates/beez3/templateDetails.xml

A lot of these files are XML files, which set new validations for the filters. Changing the XML files alone is not enough to secure your site, they work in conjunction with the changes in the PHP files.

What happens if I set this tool to not ok/red with the toggle?

We will revert the files to the Joomla 3.10.12 version of that file, reintroducing the security issue that was previously resolved by patching.

How can I fix my Joomla 3 security issues?

You can simply login to mySites.guru, click Manage Site next to your Joomla 3.10.12 site, and then on the Snapshot tab scroll down and look for

Fix All Known Joomla 3 End Of Life Security Issues

and then click the toggle next to it to patch your site with a single click

What if I have many Joomla 3.10.12 sites that need patching?

Simple, click the square button next to the toggle – it looks like this:

view the joomla 3 security issues on all sites

That button will lead you to a list of all your Joomla 3.10.12 websites where you can see an overview of their patch status, and more toggles to activate to patch your sites – simple!

Fix All Known Joomla 3 End Of Life Security Issues

How does mySites.guru fix Joomla 3 security issues?

The mySites.guru connector on your site knows about the status of your files, and when you toggle the tool in mySites.guru we will compare the md5 hash of your 36 files to the expected md5 hash of the secured patched versions.

If they differ then mySites.guru will attempt to replace the old files with the new patched version.

How will I know what the changes are?

The mySites.guru audit will so all patched files as Core File Changes in the main audit tools. This is because they ARE changes to the default Joomla 3.10.12 distributed versions.

file diff in mySites.guru

Why are you talking about Joomla 3 when Joomla 4 and 5 are out?

There are still tens of thousands of sites still running Joomla 3.

1.4% of the internet still runs Joomla 3.x Joomla! CMS (All versions combined) powers 1.7% of all websites on the internet)

W3Tech.com
1.4% of the internet still runs insecure Joomla
Version 3 is used by 83.1% of all the websites that use Joomla. Source: W3Techs 21 Feb 2024.

These all need protecting against new vulnerabilities found and as all Digital Agency dashboard owners know, moving customers across versions – with large incompatible upgrades – takes time, budgets and sometimes never happens.

The very latest Joomla Usage Statistics show that Joomla 3.10.x is being used over 35% of the time.

The most recent security issues for joomla
Source: https://developer.joomla.org/about/stats.html 21st Feb 2024

Conclusion

The new toggle switch in the mySites.guru service will allow you to apply all the known patches to all the known security issues in Joomla 3 at any given time

That way you can sleep sound in the secure knowledge that your end of life Joomla 3 sites are slightly more secure than Joomla 3.10.12

Of course, you should have already been planning or implementing your move to Joomla 4…. and onwards to Joomla 5 right? … you are doing that right? oh… never mind then …