To be honest, no, Admin Tools for Joomla! 3 is on security-only support and we haven't had a security issue reported the past two years.

I would like to note, however, that Joomla! 3 is no longer a great fit for live sites. There are some minor security issues which are so far covered by Admin Tools. If there is a major security issue in the future this might not be the case.

Moreover, Joomla! 3 only supports PHP versions which are either end of life, or on their last legs (PHP 8.1 will become end of life in December). You have maybe 2-3 years before your host eventually drops support for these old versions of PHP, as they will be impossible to run in any supported Linux distribution.

These sites need to get upgraded, re-implemented, or retired. It's not a matter of whether, it's a matter of when. I don't want to freak you out, I want you to have that in mind so you know what's coming your way.

Joomla! 1.5 has major security issues, one of which allowing anyone to become a Super User, allowing complete takeover of the site 💀 This vulnerability is known for the past decade.

The fact your Joomla! 1.5 sites have not been compromised yet means they do not do well at all in search rankings and probably don't have any traffic either. Anything that appears "on the radar" that runs something that old is definitely getting pwned within seconds of it coming to the attention of an attacker's bot.

I am afraid I don't do offensive security anymore. I am on the blue team now. But if you insist, I can take you on a tour of how easy it is.

First, we do some simple recce. Do you have some kind of CDN or firewall in front?

$ dig myfuneral.com ns

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> myfuneral.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23199
;; flags: qr rd ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;myfuneral.com.                 IN      NS

;; ANSWER SECTION:
myfuneral.com.          0       IN      NS      lily.ns.cloudflare.com.
myfuneral.com.          0       IN      NS      mark.ns.cloudflare.com.

;; Query time: 0 msec
;; SERVER: 172.21.80.1#53(172.21.80.1) (UDP)
;; WHEN: Tue Apr 16 09:46:43 EEST 2024
;; MSG SIZE  rcvd: 116

Okay. You have CloudFlare which knows and defends against the session unserialisation vulnerability in that old version of Joomla! I would use to pwn you. But, are you sure I cannot access your site directly? Using a historical DNS record service I can find your previous nameserver was ns1.mediausa.org and ns2.mediausa.org. Lo and behold, we now have the IP of your server.

$ dig myfuneral.com @ns1.mediausa.org

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> myfuneral.com @ns1.mediausa.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19513
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;myfuneral.com.                 IN      A

;; ANSWER SECTION:
myfuneral.com.          14400   IN      A       72.249.48.156

;; Query time: 149 msec
;; SERVER: 52.223.14.62#53(ns1.mediausa.org) (UDP)
;; WHEN: Tue Apr 16 09:50:54 EEST 2024
;; MSG SIZE  rcvd: 58

So now I add a line to my /etc/hosts file:

72.249.48.156 myfuneral.com www.myfuneral.com

Which means that I can now access your site bypassing CloudFlare and its protections.

I could now use the exploit to get a reverse shell on your server and pwn your site. I tried it and I do get a shell connection, but I would need to set up a VM with an older Ubuntu version and change a few network settings to make it fully interactive.

So, yup, once I knew that your site was a prime candidate it would take me about 2' to pwn you assuming I was prepared to pwn Joomla! 1.5 sites. It's not like Hollywood hacking (with the notable exception of Mr. Robot which is 80% accurate, the other 20% deliberately mucked around to protect the innocent and/or to make good pace for a TV script), but it's not hard at all. These old sites are pretty darned easy to exploit.

Note that I only went ahead with a single exploit and from a stock Ubuntu 22.04 installation. Things would've been easier where I using Kali with its wealth of pre-installed tools. I could have checked which extensions you have. Some old JCE versions had some interesting vulnerabilities. I could have used a brute-force script to get your password, or an SQL injection vulnerability in Joomla! 1.5 not covered by Admin Tools to get your hashed password and use hashcat with my GPU to crack it properly. But, as I said, I am not doing red teaming anymore. I also really don't have the time today since Joomla! 5.1 is about to drop and I have to get ready for it :)

If you want a more in-depth primer of how offensive security goes about old Joomla! versions I would recommend reading something like Attacking and Enumerating Joomla which gives a lot of pointers on what's available and where it fits.