Recently we received notice from the Joomla security team of a possible vulnerability in our Watchful Client. Specifically:
“Extension is not preventing execution of files outside of the framework (JEXEC not properly implemented) and therefore enabling potential unwanted information disclosure and various other attacks”
To be clear, this analysis is not accurate. The Watchful Client has always prevented execution of files outside the Joomla framework.
Prior versions of the client contained either “defined(‘_JEXEC’) or die;” or our internal version of this, “defined(‘WATCHFULLI_PATH’) or die;” in all PHP files.
Both are equally secure, because the “WATCHFULLI_PATH” constant is defined in a file that contains the “_JEXEC” check, thus all files inherit the security check.
However, to be compliant with JED and VEL guidelines, the new version of the Watchful Client — 1.9.1 — now explicitly lists JEXEC in all PHP files as: “defined(‘_JEXEC’) or die;”.
In addition, we’ve added made two changes to harden security:
- Watchful now uses the standard Joomla framework entry point (index.php) and moved away from our custom entry point (send.php). In addition to hardened security, there will be less issues with firewalls when adding sites to your dashboard.
- Watchful has an improved Secret Word generator that can also be customized by end users at their discretion.
The client has been updated on the JED, and resolution of the matter sent through appropriate channels in the Joomla project.
Please accept our apologies for any confusion related to this issue.