Joomla released earlier this month a security advisory for unauthorized uploads affecting to Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4 and earlier 3.x versions. Later, news has arisen announcing the vulnerability had been exploited in the wild. According to Versafe, who has reported and analyzed the attack in the wild, a significant increase of Joomla hacked systems could result from this vulnerability.

As a summary, a vulnerability exists on the Media Manager component, part of the Joomla core, which allows the user to upload files, as images, to the application. The problem exists while validating the extension of the uploaded files, where the filters could be bypassed just by appending a "." (dot) to the end of the filename.

If the reader is interested in more details, a twitter from webDEViL was published identifying the patch and the potential vulnerability:

Also, the vulnerability analysis, explaining the problem with the validation applied, has been published. For the lazier, we've highlighted the conclusions :-):

As a result, by using this vulnerability, files with names like shellcode.php. (note the trailing dot!) can be uploaded to the Joomla web application path (folder), which otherwise wouldn't be possible. The bad news is that Apache will deal with the file as PHP, since the empty extension isn't (probably) a mime-type known by the web server. This combination results in remote, arbitrary PHP code execution.

By inspecting a little more the Joomla application, there are two (easy to find) places where the Media Manager component is used:

  • On the Administrator Panel: but yeah, access to the admin panel is necessary, which doesn't look like the best option for exploitability. Even when it's vulnerable to the described arbitrary file upload!

  • From the "Submit Article" (content creation) feature, where attaching, for example, an image to the content:

This path looks more interesting for an exploit, since only permissions for creating contents are needed in order to access the exploitable function. This permissions is allowed by default to some roles like Authors or Editors, but is also granted to Public (anonymous) roles on several sites:

So far so good, all the reviewed information is sufficient enough to build a Metasploit module in order to check a Joomla site:

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments