Joomla patches file manager vulnerability responsible for hijacked websites

Joomla has released a patch that addresses a critical vulnerability in their blogging and CMS platform, which if exploited allows an attacker the ability to bypass file-type upload restrictions. The flaw has been linked to several site compromises, as well as malware distribution and phishing campaigns.

Right around the time researchers were following the chaos created by the Fort Disco botnet, Joomla (one of the largest blogging platforms on the Web) patched a completely separate flaw, which placed millions of websites at risk.

The problem was disclosed to them by Versafe, an Israeli security firm that focuses on Web-based threats and malware, after they noticed a sharp increase in the number of phishing and malware-based attacks targeting their customers.

"What brought this vulnerability to our attention was that we noticed a sharp increase in the number of phishing and malware attacks being hosted from legitimate Joomla-based sites," said Eyal Gruner, CEO of Versafe.

"The series of attacks exploiting this vulnerability were particularly aggressive and widespread," he added.

Further, Gruner said that more than 50 percent of the attacks targeting their customers in the Europe, the Middle East and Africa region (EMEA) leveraged the recently patched flaw, and "were successful in infecting a great many unsuspecting visitors to genuine websites."

As mentioned last week, Arbor Networks, as well as other security firms, have been tracking a botnet called Fort Disco. The campaign is actually launched client-side and targets Joomla and WordPress installations protected by weak passwords. The attacks are believed to be ongoing, and an investigation by CSO uncovered a hit-list of more than 400,000 domains.

The campaign uncovered by Versafe is different, but serves as another example of criminals targeting vulnerable platforms in order to leverage the legitimacy of a given domain.

Earlier this month, Trend Micro discussed the existence of the Stealrat botnet, which pushes spam and malware by compromising domains running WordPress and Joomla. According to Trend, more than 195,000 domains have been compromised as part of this attack.

The flaw patched by Joomla, which impacts all installations prior to versions 3.1.5 and 2.5.14, deals with the platform's media manager, and an attacker's ability to upload restricted files.

For example, normally malicious_shell.php would be blocked, but if the attacker attempted to upload malicious_shell.php. - adding a period to the end of the filename itself, Joomla failed prevent this from happening.

As a result, the compromised domains were used to host the Blackhole Exploit Kit, as well as push Phishing attacks in order to draw traffic to the domain. According to Versafe, the attackers used IP addresses from China, and automated much of the process using bots.

Given that the vulnerability impacts the entire install-base, the number of abandoned installations online mean that webhosts and small businesses are at risk if they haven't disabled the domain hosting unpatched installations. With that in mind, Joomla has flagged this patch as critical and is urging users to upgrade to the latest version as soon as possible.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags CMS securitypatchesapplicationsFort Discosecurityjoomlasoftwarebotnetdata protectionVersafe

More about Arbor NetworksArbor NetworksCMSCSOTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place