Read the official Contao announcements.
Security advice regarding Contao themes
by Leo Feyer
The Contao theme manager does not only allow you to easily import and manage themes, but also lays the system open to attack due to the architecture of a theme. Therefore please read the following security advice regarding the import of a Contao theme.
The basic problem
A theme typically consists of database entries and files from the upload and/or the templates directory. These files are uploaded to your server during the import of a theme and can possibily contain malicious code. Especially template files are real PHP files with unlimited support for all PHP functions and features!
Inspecting a theme
Although theme files have a .cto extension, they are in fact regular ZIP archives which you can download and extract on your local computer to inspect the files. Make sure that the upload directory (tl_files) does not contain any PHP files and check the contents of the template files if any.
To be sure, we recommend to only install themes from trustworthy manufacturers, including e.g. the Contao themes by iNet Robots, the themes offered during the "Free Themes Month" on contao.org and themes from the forums which provide a link to this security note and have been checked by other trustworthy users.
Attack from within
Besides the obvious attack from without, where a hacker tries to make you install a malicious theme, themes can also be used by allegedly trustworthy back end users to execute arbitrary PHP code and e.g. gain administrator privileges. Therefore take care to whom you grant access to the themes module!
Suggestions for improvement
First let me say that this problem cannot be solved by excluding files and templates from the theme import. It should be obvious to everyone that those resources are tied to a theme and it is essential to be able to export and import them together with the database records. Also there is no way to inspect themes automatically, since the number of possible attacks is huge and the possibilities to disguise malicious code are almost unlimited. We therefore do not need to discuss this.
Apart from it, however, all ideas and suggestions that might improve the security of the theme importer are welcome. Please post your comments in the Contao forum, so we can discuss them with the community.
Addendum of July 17th, 2010
The problem described above is not at all limited to Contao themes. It also applies to third-party extensions and thus to all content management systems which provide an extension manager. In fact, it applies to every software download from the Internet and every e-mail attachment from an unknown sender. Whenever you import external files, be it in Contao, in another CMS or on your computer, you should check their content and the reliability of the creator.