Header
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Hardware Internet Linux Nagios/Monitoring Personal PHP Proxy Shell VMware Windows Wyse

Joomla CMS hacks by using vulnerability in com_fabrik

This month I've already had two cases where a Joomla website has been attacked and hacked. 

A security vulnerability was used to upload a PHP shell, which then was used to upload complete fake websites. These fake websites turned then out to be Phishing websites (what else...).

Paypal Phishing Website uploaded through vulnerability This PayPal Phishing website has been uploaded through a PHP shell which itself was uploaded through a vulnerability in the Joomla module com_fabrik

But how did the hacker upload the PHP shell?

After checking and comparing both hack attempts two conclusions could be made:
- The hack-attack was automated, both logs showed the EXACT same way of uploading the PHP shell, just from different IP addresses.
- The vulnerability must come from a module called com_fabrik which allows to upload CSV files. A forged CSV file must have been uploaded or the upload form was 'tricked' to upload a non-csv file.

Here some lines from the log:

41.233.160.99 - - [02/Jan/2012:01:27:31 +0100] "GET /index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1 HTTP/1.1" 200 9297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:27:50 +0100] "POST /index.php?option=com_fabrik HTTP/1.1" 303 - "http://www.example.com/index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:27:56 +0100] "GET /index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=1&Itemid=0 HTTP/1.1" 200 9557 "http://www.example.com/index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:28:03 +0100] "GET /media/ASS.php HTTP/1.1" 401 54 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

After a quick research, this vulnerability seems to be the one described in the vulnerability report #342 of 2011-11-26: Joomla com_fabrik - Remote File Upload Vulnerability. But what is even more intriguing is the fact, that there have been other exploits before and there will probably be others in the future.

On the developer website (www.fabrikar.com) the latest version mentioned on the blog is 2.1 and and mentions important security fixes - but that post was in July 2011.
On the download page several versions exist (3.0.3 from January 25th 2012 and 2.1.1 from September 26th 2011). Unfortunately there is no Changelog attached, so it is not known whether this particular vulnerability has been fixed or not.

My advise: Don't use this module. It seems to be too insecure for production environments.

Update February 5th 2012:
As one can see in the comments of this post, I was contacted by a developer of com_fabrik. The security hole I was writing about was fixed in version 2.1.1. In the other version, 3.x, this vulnerability never existed. Joomla users, which use com_fabrik, are strongly encouraged to update com_fabrik as soon as possible! It seems that since Joomla 2.5 the plugins like com_fabrik can be updated automatically, without having to download and update files manually.

  
Thursday - Jan 26th 2012 - 3.58 pm (+0100) - Switzerland - (4 comments)

 

Add a comment

Show form to leave a comment

Comments (newest first):

Claudio from Switzerland wrote on Feb 4th, 2012:
That already sounds much better. Problem though: Users, who got Joomla installed, usually don't care about updates. For them it's a "once installed, then it runs" installation. That's the problem with CMS systems and users. Administrators follow such security advices, (web-) users don't. But it's good to know that this has been improved. I'll update my post about the security fix and the possibility (since Joomla 2.5) for automatic updates.
Hugh Messenger wrote on Feb 4th, 2012:
To quote from our exchange on Google+ just now:

The latest version of Joomla (2.5) implements one-click upgrading of plugins, and we supported that from the get go, as of our 3.0.3 release (when Joomla updated from 1.7 to 2.5). The admin is shown a list of any plugins for which there are upgrades available, and simply has to accept them with a single click.

For a variety of reasons, this is not possible prior to Joomla 2.5 (or the interim, short-life 1.7), so the Joomla 1.5 / Fabrik 2.x series will not be able to support automated updates. Which is why we strongly encourage our users to keep their email address with us up to date, so we can let them know whenever there are critical updates available.


Providing an fully automatic update service is not practical with Fabrik, as Fabrik itself is an "application builder", not a one-purpose plugin. So the admin needs to be aware of what parts of Fabrik have been updated, and any potential impact on his/her specific application, before they update.
Claudio from Switzerland wrote on Feb 4th, 2012:
Hello Hugh,
I appreciate your comment! Thanks for sharing this information. As I'm not a Joomla professional, is it possible to update automatically the module com_fabrik? Many users, like in this described hack-case, aren't professionals and don't know how to unpack and upload zip files. In Wordpress for example, installed plugins and themes can be upgraded by just clicking on a link. It would be a great security enhancement if that were the case, not only with com_fabrik but with every module.
If there is an automatic update possibility, can it be launched via cronjob or similar?
Hugh Messenger wrote on Feb 4th, 2012:
Hi,

I\'m one of the authors of Fabrik. Just wanted to let you know this security hole was fixed in our 2.1.1 release in Sept 2011, and has never affected any of the 3.x releases. We publicized the fix, and the urgency of the need to update, as widely as we could, including mailing all our registered users.

Anyone unsure as to what version they are running or having issues upgrading should visit our forums at the website on this comment, and we\'ll be glad to assist them.

If anyone running 2.1.1 or greater still thinks they have been hacked, we urge them to let us know on our forums, or email me directly at the address below, and we\'ll investigate immediately.

-- hugh
--
Hugh Messenger
hugh.messenger@gmail.com
Go to Homepage home RSS Feed
About ck about
Linux Howtos how to's
Nagios Plugins nagios plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

9463 Days
until Death of Computers
Why?

© 2008-2012 Claudio Kuenzler. site accessible through claudiokuenzler.com and napsty.de. Hosted by Nova Hosting.