Although the Joomla! core is secure when configured correctly, third party extensions come in all flavors of age and quality. Unless you absolutely trust the extension developer, always review the code should before installing.
The core is secure (but please don’t run a version before 1.5.23 at the time of writing, since there are serious security problems in the core of those).
Microsoft said the same kind of thing about their products by getting an impressive security rating for their Windows NT operating system:
As of August 1995, National Security Agency (NSA) granted the C2 security rating for Windows NT Server and Workstation version 3.5. As a result these operating systems are on the Evaluated Products List (EPL). Windows NT Server and Workstation version 3.51 has been granted the security rating of E3/F-C2 though a similar evaluation process in the UK.
Indeed, their core was secure. (Well, not if you threw random inputs at random unprivileged functions, but nobody thought of that for a few years.)
Both Joomla and Microsoft’s claims to good fundamental security do little to alleviate the actual causes of insecurity seen in practice:
- The system doesn’t do anything interesting without add-ons
- The add-ons are the cause of weaknesses
- It is well-nigh impossible to upgrade an add-on, since no core mechanism is provided for this unlikely task.
- The add-ons are written by folks that are not half as bright as the people that write the core. You don’t need to break the core: just break the weakest link in the security chain.
Experience shows that people prefer functionality over security until well after the moment that that functionality causes them trouble. The security of the core is of academic value only, unless the core does something remarkable to insulate the system’s users from the kind of software they will install to make up for the lack of core features.
A few projects seem to be doing updates of their plugins with some flair:
- Linux distributions – the whole concept is updating the plugins for the Linux kernel
- Firefox – and for good measure, they occasionally introduce incompatibilities in their core code that nuke unmaintained plugins into irrelevance (like the VMware remote desktop plugin).
- WordPress – well, unless you go to woothemes and install something pretty with obfuscated junk with a forked version of timthumb incorporating what may as well be backdoor code.
- CPAN and look-alikes for other languages
Security that relies on the core is rotten.