Joomla admin page

OWASP 2013-A7 OWASP 2017-A5,OWASP 2017-A2 OWASP PC-C6 PCI v3.2- CAPEC-87 CWE-425 HIPAA-425 ISO27001-A.9.4.1 WASC-34

Joomla! is one of the most used free and open-source content management systems. It is used to publish web content. This software was developed by Open Source Matters, Inc. This application is built on the base of the model–view–controller web application framework. This application is independent of the Content Management System.

The Administrator application (admin page, Control Panel, Back-end, or Admin Panel) is an interface for Joomla. Here the admin user only has full privileges, and other site officials will have restricted privileges. This user can manage the look of a Joomla! Powered web site. There are many features which can be done only through an administrator interface. This kind of user can set up how their website should look like using the Template Manager. The attacker can change the look by changing templates. The users can also add new extensions such as components, languages, modules, and plugins. There are many preset URL names for admin pages. If this name is not changed, an attacker can easily access the admin page by simply changing the URL with different default names.

Example

The following name is the default name.

https://example.beaglesecurity.com/administrator

Impact

The impact include:-

  • The attacker will get administrative access.
  • Possible loss of sensitive information.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Change the default administrator name.
  • Update Joomla to the latest version.

Latest Articles