Spambots and e-mail harvesters are an important tool for the spamming community as collecting e-mail addresses from web sites provides a ‘market’ for all that junk you get in your spam folder and often in your inbox.

Like any good content management system or blog, Joomla protects any e-mail addresses in your site content by using javascript to encode the emails in source code of your site. This prevent the harvesters from recognizing them as an e-mail address but allows the end-user to click the e-mail address on your site and trigger your default mail client to start composing a new message with the 'To:' field pre-populated.

The email cloaking feature is delivered via the aptly-named ‘Email cloaking’ plugin which makes protecting your email address available to 3rd party extensions such as JCal Pro® that support content plugins.  However, I have had to disable this plugin in the past on some sites as end-users would sometimes report the following error when they clicked on some e-mail links

This e-mail address is being protected from spambots. You need JavaScript enabled to view it.

Implemented in Internet Explorer 4 as a technique to improve the end user experience¹, ‘MIME sniffing’ or MIME type detection helps the browser determine file formats on the web such as text, HTML, and audio/video². However, when IE detects a conflict while MIME sniffing (i.e. it encounters an image that is really a script) potential vulnerabilities arise:

[An] image that seems harmless at first glance may actually be dangerous if it begins with some HTML code, because Internet Explorer will then execute that code. This gives an attacker an opportunity to embed JavaScript in images and exploit the attack vector to execute cross-site scripting [(XSS)] attacks. [source]

If your web site contains this type of “cloaked” file, then malicious code can be triggered when someone views your site. With the expansion of so much user-generated content these days, and the slow adoption of IE8 (which is not vulnerable to this exploit), the MIME sniffing feature has actually become a serious liability as users have increasing access to placing files (and images in particular) on web servers. 

As a software developer, one way in which we promote our products if through affiliate marketing. Affiliate marketting is esentially a link exchange program where the people who post links to your products (on their web sites or in their blogs, newsletters, etc...) get a commission of the sales generated from those links. In fact, you'll notice some of our own affiliate links on the left-hand side of this page under "Recommended Vendors". Of course, a software package tracks the affiliate traffic and a very popular version is called iDevAffiliate.

While recently configuring and testing iDevAffiliate for this web site (details coming soon), we noticed something peculiar. When an affiliate signs up for an account, they must provide a username and password and often tax information such as a SSN (USA) or VAT (Europe). In the case of iDevAffiliate, this sensitive password and tax information was being saved in plain text format. Although this is not an inherent security risk, it does increase vendor liability dramatically should a database be compromised and the affilaite details stolen.