If you run a site powered by the Joomla content management system and haven’t yet applied a critical update for this software released less than two weeks ago, please take a moment to do that: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors.
The patch released on July 31, 2013 applies to Joomla2.5.13 and earlier 2.5.x versions, as well as Joomla3.1.4 and earlier 3.x versions. Joomla credits discovery of the bug to Web security firm Versafe, which says a simple exploit targeting the vulnerability is already in use. Joomla versions 2.5.14 and 3.1.5. fix a serious bug that allows unprivileged users to upload arbitrary .PHP files just by adding a “.” (period) to the end of PHP filenames.
For 2.5.x and 3.x versions of Joomla, it is possible for anyone with access to the media manager to upload and execute arbitrary code simply by appending a period to the end of the file name they would like to run. For sites powered by unsupported versions of Joomla (1.5.x, and a cursory Google search indicates that there are tens of thousands of these 1.5.x sites currently online), attackers do not even need to have an account on the Joomla server for this hack to work.
Acccording to Versafe chief executive and co-founder Eyal Gruner, of the thousands of phishing and malware attacks against the company’s 30+ EMEA financial clients in the first half of 2013, 57 percent were hosted on Joomla-based websites.
“What we’ve seen in the last few months is a significant exploit whereby fraudsters can use sites to host drive-bys and phishing attacks,” Gruner said. He noted that the company found more than 100 Web sites that appeared to have been hacked with this exploit, all hosting malicious Javascript components that were being used by banking Trojans to help automate online account fraud. Gruner said his company notified Joomla about the exploit in early June.
Such a simple attack on such a widely-deployed content management system could be a potent weapon in the hands of crooks who specialize in building Web site botnets. Earlier this month, security firm Arbor Networks warned that it was tracking a Web site botnet dubbed “Fort Disco” which was made up of hacked Joomla and WordPress sites. Earlier in the year, Web site security firm Incapsula said it had tracked more than 90,000 Web sites powered by WordPress that were backdoored with malicious code.
