Joomla’s Security State- WordPress is not alone

Aug 20, 2013 By carolineb

Two months ago Checkmarx has published a research revealing the security state of WordPress’s 50 top plugins. Another CMS joins the list and this time it’s Joomla- as simple vulnerability was exploited to infect thousands of websites with malware.

The sites were hacked to serve up the prevalent Blackhole exploit kit, which in turn infected users’ systems with banking Trojans.

The vulnerability was uncovered after Versafe investigated a spike of Joomla compromises its clients saw in the first-half of 2013, which strongly suggested a fresh flaw in the CMS platform was being “more readily exploited”.

It found, for the 2.5.x and 3.x versions of Joomla, anyone with access to the media manager on the CMS could upload and execute arbitrary code just by adding a full stop (“.”) to the end of a php file.  For sites running unsupported versions of Joomla 1.5.x, attackers don’t even need access to an account on the Joomla server to gain access.

“They could simply go to a Joomla site, and upload the shell and malicious files without permissions access of any kind to the admin,” VP of business development at Versafe, Jens Hinrichsen, told TechWeekEurope.

“Attackers were running automated scripts to register an additional user on thousands of existing, exploitable sites running on 1.5.x.

Since no permissions were required to instantiate a profile (on a pre-existing site), the attackers were uploading the PHP shell and malicious code as their avatar/profile picture, for instance.

“For newer versions, 2.5.x and 3.2.x, attackers needed to obtain just low-level media manager rights in order to exploit the same flaw (via brute force, spear phishing, etc).”

Joomla patched the flaw over a month after being notified. Users have been urged to update their Joomla platforms.

But many will have already gone on infected sites and had the Blackhole exploit kit search for ways to infect their machines with malware, the security company said.

“The attackers were able to gain rapid access to thousands of vulnerable sites, enabling hosting of the Blackhole drive-by malware payload that infected users, as well as use the compromised systems to host phishing attacks,” Hinrichsen added. “Truly a multi-stage, multi-pronged attack.”

Verasafe’s investigation led it to believe a single hacker based in China was exploiting the flaw at scale, but could not offer more details on the attacker.

“The series of attacks exploiting this vulnerability were particularly aggressive and widespread – involved in over 50 percent of the attacks targeting our clients and others in EMEA – and ultimately successful in infecting a great many unsuspecting visitors to genuine websites,” added Eyal Gruner, CEO of Versafe.

Hackers are upping their attacks against CMS systems. Earlier this month, Arbor Networks reported on the 25,000 machine-strong Fort Disco botnet, which was being used to brute force Joomla and WordPress CMSs.

Trend Micro has also warned thousands of compromised sites based on WordPress, Drupal and Joomla were being used as part of a spamming botnet called StealRat.


The following two tabs change content below.


Latest posts by carolineb (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

  • When a popular application is compromised hundreds, if not thousands, of sites are at risk. That’s how hackers work smarter and not harder! Why go after thousands of websites individually when you can target one application and call it a day.

  • Elin


    The Joomla 1.5 exploit requires that the user have administrator permissions unless a site administrator consciously sets lower permissions. I’m not sure where this statement is coming from. Joomla 1.5 does not have avatars as part of the core nor does any version of Joomla so this information seems quite confused. Who from the Joomla project did you confirm this information with when you did fact checking on the press release?

  • Pingback: Stephdokin The Digital Brand Agency -Hackety Hack, You CAN Fight Back -

  • Pingback: Homepage()

  • Pingback: download triplets of belleville()

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.