Joomla patches file manager vulnerability responsible for hijacked websites

Joomla has released a patch that addresses a critical vulnerability in their blogging and CMS platform, which if exploited allows an attacker the ability to bypass file-type upload restrictions. The flaw has been linked to several site compromises, as well as malware distribution and phishing campaigns.

Right around the time researchers were following the chaos created by the Fort Disco botnet, Joomla (one of the largest blogging platforms on the Web) patched a completely separate flaw, which placed millions of websites at risk.

The problem was disclosed to them by Versafe, an Israeli security firm that focuses on Web-based threats and malware, after they noticed a sharp increase in the number of phishing and malware-based attacks targeting their customers.

“What brought this vulnerability to our attention was that we noticed a sharp increase in the number of phishing and malware attacks being hosted from legitimate Joomla-based sites,” said Eyal Gruner, CEO of Versafe.

“The series of attacks exploiting this vulnerability were particularly aggressive and widespread,” he added.

Further, Gruner said that more than 50 percent of the attacks targeting their customers in the Europe, the Middle East and Africa region (EMEA) leveraged the recently patched flaw, and “were successful in infecting a great many unsuspecting visitors to genuine websites.”

As mentioned last week, Arbor Networks, as well as other security firms, have been tracking a botnet called Fort Disco. The campaign is actually launched client-side and targets Joomla and WordPress installations protected by weak passwords. The attacks are believed to be ongoing, and an investigation by CSO uncovered a hit-list of more than 400,000 domains.

The campaign uncovered by Versafe is different, but serves as another example of criminals targeting vulnerable platforms in order to leverage the legitimacy of a given domain.

Earlier this month, Trend Micro discussed the existence of the Stealrat botnet, which pushes spam and malware by compromising domains running WordPress and Joomla. According to Trend, more than 195,000 domains have been compromised as part of this attack.

The flaw patched by Joomla, which impacts all installations prior to versions 3.1.5 and 2.5.14, deals with the platform’s media manager, and an attacker’s ability to upload restricted files.

For example, normally malicious_shell.php would be blocked, but if the attacker attempted to upload malicious_shell.php. — adding a period to the end of the filename itself, Joomla failed prevent this from happening.

As a result, the compromised domains were used to host the Blackhole Exploit Kit, as well as push Phishing attacks in order to draw traffic to the domain. According to Versafe, the attackers used IP addresses from China, and automated much of the process using bots.

Given that the vulnerability impacts the entire install-base, the number of abandoned installations online mean that webhosts and small businesses are at risk if they havent disabled the domain hosting unpatched installations. With that in mind, Joomla has flagged this patch as critical and is urging users to upgrade to the latest version as soon as possible.