Watchful 1.9.1 released
Recently we received notice from the Joomla security team of a possible vulnerability in our Watchful Client. Specifically:
“Extension is not preventing execution of files outside of the framework (JEXEC not properly implemented) and therefore enabling potential unwanted information disclosure and various other attacks”
To be clear, this analysis is not accurate. The Watchful Client has always prevented execution of files outside the Joomla framework.
Prior versions of the client contained either “defined(‘_JEXEC’) or die;” or our internal version of this, “defined(‘WATCHFULLI_PATH’) or die;” in all PHP files.
Both are equally secure, because the “WATCHFULLI_PATH” constant is defined in a file that contains the “_JEXEC” check, thus all files inherit the security check.
However, to be compliant with JED and VEL guidelines, the new version of the Watchful Client — 1.9.1 — now explicitly lists JEXEC in all PHP files as: “defined(‘_JEXEC’) or die;”.
In addition, we’ve added made two changes to harden security:
- Watchful now uses the standard Joomla framework entry point (index.php) and moved away from our custom entry point (send.php). In addition to hardened security, there will be less issues with firewalls when adding sites to your dashboard.
- Watchful offers an improved Secret Word generator that end users can customize at their discretion.
The Joomla project has updated the client on the JED, and they have resolved the matter through appropriate channels.
Please accept our apologies for any confusion related to this issue.