Joomla Media Manager Attacks in the Wild

If you are using Joomla and didn’t update your site recently, you better stop doing whatever you are doing, and update it now. There is a very serious vulnerability in Joomla’s Media Manager component (included by default), that can allow malicious files to be uploaded to your site.

The only two safe versions of Joomla are 3.1.5 and 2.5.14. If you are not using either of them, you are at risk.

File Upload Vulnerability

The vulnerability is very simple to exploit and is caused by a validation error in the Media Manager component. It was supposed to only allow certain extensions to be uploaded, but if you append a dot at the end of the file name, it allows anything to be uploaded.

Joomla Image Uploader

The big danger is that it allows someone to upload a PHP file that is sent to the directory /images/stories/. For example, backdoor.php would end up at /images/stories/backdoor.php and the attacker can then execute that file as site.com/images/stories/backdoor.php.

So depending on what is uploaded, it can give the attacker full control of your site. Note that there are exploits for this vulnerability floating around, and even a Metasploit module for it, so it is a very simple exploit.

Attacks in the wild

Since this vulnerability was first disclosed, we’ve started to see a few entries in our Security Operation Center (SOC) looking to see if the com_media upload is enabled, and if the public article submission page was available. This is what those requests look like in our logs:

IP - - [DATE] "GET /index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext"
IP - - [DATE] "GET /index.php/submit-an-article"

For the last 2 days these reconnaissance requests are just increasing. We also found some attempts to compromise and upload a malicious shell script in one of our honeypots:

IPADDRESS - - [DATE] "POST /index.php?option=com_media&task=file.upload&tmpl=component..

Followed by a GET request on /images/stories/banner.php, the malicious file chosen by them.

So even though we are not seeing anything at a large scale, it is starting to pick up. Of you are a Joomla site owner, please do your part and update your site!

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid