Book Image

Learning Joomla! 3 Extension Development - Third Edition

By : Timothy John Plummer
Book Image

Learning Joomla! 3 Extension Development - Third Edition

By: Timothy John Plummer

Overview of this book

Joomla 3 is the first of the major open source content management systems that was meant to be mobile friendly by default. Joomla uses object-oriented principles, is database agnostic, and has the best mix of functionality, extensibility, and user friendliness. Add to that the fact that Joomla is completely community driven, and you have a winning combination that is available to everyone, and is the perfect platform to build your own custom applications. "Learning Joomla! 3 Extension Development" is an integrated series of practical, hands-on tutorials that guide you through building and extending Joomla plugins, modules, and components. With Joomla having been downloaded well over 35 million times, there is a huge market for Joomla extensions, so you could potentially earn some extra cash in your spare time using your newly acquired Joomla extension development skills. We will start with developing simple plugins and modules, and then progress to more complex backend and frontend component development. Then we will try our hand at ethical hacking, so you will learn about common security vulnerabilities and what you can do to avoid them. After that we will look at how you can prepare your extensions for distribution and updates, as well as how you can extend your components with various plugins and modules. Finally, you will end up with a fully functioning package of extensions that you can use on your own site or share with others. If you want to build your own custom applications in Joomla, then "Learning Joomla! 3 Extension Development" will teach you everything you need to know in a practical, hands-on manner.
Table of Contents (18 chapters)
Learning Joomla! 3 Extension Development
Credits
About the Author
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
Index

Remote File Inclusion


This is similar to a LFI, however with a Remote File Inclusion (RFI), a file from another website is loaded rather than a file from the same website.

Now we are going to add some code to our folio.php file under /components/com_folio, which will make it vulnerable to remote file inclusion. Obviously this code isn't required for our component and is only to demonstrate the vulnerability. You can add this code near the top of the file.

if($controller = JRequest::getVar('controller'))
{
  require_once $controller;
}

This time, create demo.txt and put it on another site, for example http://localhost/joomlatest/tmp/demo.txt. We won't give it a PHP extension as we will try to disguise it as a text file. Just because it doesn't have a PHP extension, doesn't mean it won't be executed as PHP code.

<?php
echo phpinfo();
die;

Note

You may have to enable allow_url_include = On in your php.ini for you to simulate this vulnerability.

Now try in your browser the following URL (where...