• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Joomla Media Manager Attacks in the Wild

August 16, 2013Daniel Cid

FacebookTwitterSubscribe

If you are using Joomla and didn’t update your site recently, you better stop doing whatever you are doing, and update it now. There is a very serious vulnerability in Joomla’s Media Manager component (included by default), that can allow malicious files to be uploaded to your site.

The only two safe versions of Joomla are 3.1.5 and 2.5.14. If you are not using either of them, you are at risk.

File Upload Vulnerability

The vulnerability is very simple to exploit and is caused by a validation error in the Media Manager component. It was supposed to only allow certain extensions to be uploaded, but if you append a dot at the end of the file name, it allows anything to be uploaded.

Joomla Image Uploader

The big danger is that it allows someone to upload a PHP file that is sent to the directory /images/stories/. For example, backdoor.php would end up at /images/stories/backdoor.php and the attacker can then execute that file as site.com/images/stories/backdoor.php.

So depending on what is uploaded, it can give the attacker full control of your site. Note that there are exploits for this vulnerability floating around, and even a Metasploit module for it, so it is a very simple exploit.

Attacks in the wild

Since this vulnerability was first disclosed, we’ve started to see a few entries in our Security Operation Center (SOC) looking to see if the com_media upload is enabled, and if the public article submission page was available. This is what those requests look like in our logs:

IP - - [DATE] "GET /index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext"
IP - - [DATE] "GET /index.php/submit-an-article"

For the last 2 days these reconnaissance requests are just increasing. We also found some attempts to compromise and upload a malicious shell script in one of our honeypots:

IPADDRESS - - [DATE] "POST /index.php?option=com_media&task=file.upload&tmpl=component..

Followed by a GET request on /images/stories/banner.php, the malicious file chosen by them.

So even though we are not seeing anything at a large scale, it is starting to pick up. Of you are a Joomla site owner, please do your part and update your site!

FacebookTwitterSubscribe

Categories: Joomla Security, Vulnerability Disclosure

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. MyGreenHosting.com

    August 16, 2013

    Does this affect Joomla 1.5 and 1.0 sites too?

    • Daniel Cid

      August 16, 2013

      Nope, only Joomla 2.x and 3.x. However, sites running Joomla 1.5 and 1.0 have a lot more to worry about 🙂

      • Kenneth

        August 17, 2013

        Thanks for the post. We have a few customers still refusing to make the jump from their 1.5.x sites. It is near to impossible to protect the older versions. Glad folks like yourself are staying on top of the exploits.

        • Elin Waring

          August 24, 2013

          Actually we posted a fix for 1.5 in the 1.5 tracker even though it is past EOL.

          http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626&start=0

      • Spiral Scripts

        August 20, 2013

        Joomla 1.5 sites are affected too, there is a patch available here: http://joomlacode.org/gf/download/trackeritem/31626/83528/UploadFix15v3.zip

        I don’t know about 1.0, it may well be affected.

    • Pinkeltje

      August 20, 2013

      Yes it affects 1.5 sites! It’s true that you have a lot more to worry about, but a least install the latest patch: http://anything-digital.com/blog/security-updates/joomla-updates/joomla-15-security-patch-made-easy-to-install.html

  2. Abhishek

    August 16, 2013

    By disable the external curl script and having some restriction,is it possible to prevent it??

    • Para Friv

      September 11, 2013

      i agree with you.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.