Hi,
Our site (http://nhp.org.in/en/) has recently undergone security audit and we are considering buying the premium support if they can help resolve the issues mentioned below as per the report we received.
- Malicious file upload is possible in via Kunena forum. An attacker can upload malicious executable files on the system by simply renaming .exe file to .jpeg and the kunena forum allows it to upload even if the mime type check is active and the .exe extension is added to not allowed list. There is no way to Inspect the content type of files.
- HTML forms are without CSRF protection. Although the Joomla itself implements CSRF protection by tokens but they are session based. They have advised that token should refresh on every request and every page reload & last token should expire to prevent CSRF attacks.
- Login Logs. We need to maintain logs of user logins both successful and unsuccessful attempts. Logs should cover these details:- user id, username, system ip, login status, login date and time, logout date and time.
If premium support can help rectify these issues we are more than willing to renew/purchase premium support. Please let us know.
Awaiting your earliest response.
Regards,