If you are using Joomla and didn’t update your site recently, you better stop doing whatever you are doing, and update it now. There is a very serious vulnerability in Joomla’s Media Manager component (included by default), that can allow malicious files to be uploaded to your site.
The only two safe versions of Joomla are 3.1.5 and 2.5.14. If you are not using either of them, you are at risk.
File Upload Vulnerability
The vulnerability is very simple to exploit and is caused by a validation error in the Media Manager component. It was supposed to only allow certain extensions to be uploaded, but if you append a dot at the end of the file name, it allows anything to be uploaded.
The big danger is that it allows someone to upload a PHP file that is sent to the directory /images/stories/. For example, backdoor.php would end up at /images/stories/backdoor.php and the attacker can then execute that file as site.com/images/stories/backdoor.php.
So depending on what is uploaded, it can give the attacker full control of your site. Note that there are exploits for this vulnerability floating around, and even a Metasploit module for it, so it is a very simple exploit.
Attacks in the wild
Since this vulnerability was first disclosed, we’ve started to see a few entries in our Security Operation Center (SOC) looking to see if the com_media upload is enabled, and if the public article submission page was available. This is what those requests look like in our logs:
IP - - [DATE] "GET /index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext" IP - - [DATE] "GET /index.php/submit-an-article"
For the last 2 days these reconnaissance requests are just increasing. We also found some attempts to compromise and upload a malicious shell script in one of our honeypots:
IPADDRESS - - [DATE] "POST /index.php?option=com_media&task=file.upload&tmpl=component..
Followed by a GET request on /images/stories/banner.php, the malicious file chosen by them.
So even though we are not seeing anything at a large scale, it is starting to pick up. Of you are a Joomla site owner, please do your part and update your site!
Sucuri Malware Research Team
Marc-Alexandre Montpas
John Castro
Antony Garand
Eugene Wozniak
Cesar Anjos
8 comments
Does this affect Joomla 1.5 and 1.0 sites too?
Nope, only Joomla 2.x and 3.x. However, sites running Joomla 1.5 and 1.0 have a lot more to worry about 🙂
Thanks for the post. We have a few customers still refusing to make the jump from their 1.5.x sites. It is near to impossible to protect the older versions. Glad folks like yourself are staying on top of the exploits.
Actually we posted a fix for 1.5 in the 1.5 tracker even though it is past EOL.
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626&start=0
Joomla 1.5 sites are affected too, there is a patch available here: http://joomlacode.org/gf/download/trackeritem/31626/83528/UploadFix15v3.zip
I don’t know about 1.0, it may well be affected.
Yes it affects 1.5 sites! It’s true that you have a lot more to worry about, but a least install the latest patch: http://anything-digital.com/blog/security-updates/joomla-updates/joomla-15-security-patch-made-easy-to-install.html
By disable the external curl script and having some restriction,is it possible to prevent it??
i agree with you.
Comments are closed.