CMS Security

Poison or Medicine: Joomla Shell Upload Vulnerability

February 7, 2018 by Agnes Talalaev

Joomla – a vulnerable veteran in wild.

One of the most persistent types of attack in the cyberspace involves unexpected input, that is insufficient validation on the application side of things. Buffer overflows still today let an arbitrary remote user inject their payload into the target bloodstream like a pro. More naïve variation, a beast from the past, custom upload component failing to validate input files, running on an improperly configured web server – a lethal combination just waiting to get exploited.

website security joomla vulnerability webarx

And Google is so kind that it makes sure everyone knows if someone is vulnerable –perhaps for a good reason so that potential attackers can be profiled as well, already at the time they are doing recon on targets. Cyber War includes gaining full dominance, that includes owning the black markets and hackers alike, as well as the shady act of releasing exploits and vulnerabilities like cheese in a mousetrap – Cold War getting hot already.

Content Management Systems (CMS’s) are still the flesh and bones of the cyberspace. Who would not like to publish stuff and get things done as quickly as that? The selection of CMS’s is rapidly evolving, even somewhat decaying, as web publishing has been rapidly moving on to platforms owned by the emerging powers, if not just the Five Eyes. Free hosting turned into Free publishing, and why not, it is a win-win situation for most, at least on the surface. Both get what they want, but those who have less must give more.

Joomla was one of the pioneers on the popular CMS markets, born as Mambo ten years ago, the fate of Joomla has been some years already decaying. Perhaps due to its decaying nature, Joomla vulnerabilities have become well known for its faults. As modular software where anyone can add in modules, the attack surface is wide and deep. 

joomla security joomla vulnerability webarx

The usual suspect: Arbitrary Upload Form

Already back in 2016, an infamous Joomla! Module Com_Media was found to have a naïve upload vulnerability.

Developers are only humans, and input validation can be a very laborious thing to do – creativity may not be on their side.

Reproducing one of the oldest vulnerabilities, failure to validate uploaded files properly, this Joomla com_media brought back piece of the history or rolled back much of the future, whichever way one wants to see the matter of facts be.

Easily fixed, but until done so, this kind of vulnerability could be used by anyone to upload anything on to the server. Only the sky, disk space and operating system level protections are the limit – and the time before the admin of the server becomes aware of the situation and patches the beast off.

Vulnerability disguised under different name (com_weblinks != com_media)

In reality, even though the exploitation method and public information about this vulnerability are pointing fingers at com_weblinks, the com_weblinks is not the one to blame. Instead, the issue comes from com_media and the fact that the website owners have misconfigured the whole site.

Intelligence gathering, voluntary leaks and fake exploits

Cyber War today is all about gaining a dominant position, or upholding the dominance acquired already. One of the most effective ways to enforce and claim that authority is to demonstrate powers and to lay out traps and “form the terrain”. In this game, vulnerabilities and shocking campaigns can be highly useful. With the relatively light potential impact, which is at least confined in its nature, these sweets can more act as training components, as honey in the trap, cheese for the mice and beyond.

As such, Joomla and particularly the vulnerability of Joomla can be seen as poison as well as medicine at the same time. Like in the real world, destructive powers do also have healing characteristics. Fixing this particular vulnerability is a trivial thing, and any good operating system level protection would bring immunity in the first place. The reality in cyberspace is that one may not be “safe” at any time.

This is only because of the ongoing struggle for power for cyber-dominance, and vulnerability is the name of that game. Safety and its management must be the sole competence of the sovereign – what kind of sovereignty that would otherwise be. But now, for real, check your Joomla and patch whenever necessary!Joomla security joomla vulnerability webarx

CMS Security

Start your free 14-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: