Simple Hack Threatens Outdated Joomla Sites

If your website is running on the Joomla content management system and you haven't yet installed a critical update released less than two weeks ago, it's important that you do so immediately. A simple exploit could enable users to inject harmful content into your website, transforming it into a platform for phishing and malware. The patch released on July 31, 2013, applies to versions of Joomla 2.5.13 and earlier 2.5.x versions, as well as Joomla 3.1.4 and earlier 3.x versions. This bug was discovered by Web security firm Versafe, who report that attackers are already using a straightforward exploit targeting the vulnerability. Joomla versions 2.5.14 and 3.1.5 fix another bug that allows individuals without sufficient privileges to upload arbitrary .PHP files to a Joomla site just by adding a period to the end of PHP filenames.

For Joomla versions 2.5.x and 3.x, anyone with access to the media manager can upload and run arbitrary code simply by adding a period to the end of the file name. Even for sites running unsupported Joomla versions (1.5.x, of which there are apparently tens of thousands online), attackers do not need an account on the Joomla server for this hack to work.

According to the CEO and co-founder of Versafe, Eyal Gruner, more than half of the phishing and malware attacks against the company's 30+ EMEA financial clients in H1 2013 were hosted on Joomla-based websites. Gruner reported that the company identified more than 100 websites that had been hacked with this exploit, all containing malicious Javascript components that banking Trojans were using to facilitate online account fraud. The company informed Joomla about the exploit in early June.


Given the widespread deployment of this content management system, such a simple attack could become a powerful weapon for criminals specializing in building website botnets. Security firms like Arbor Networks have recently issued warnings about Fort Disco, a website botnet made up of hacked Joomla and WordPress sites. Incapsula, a website security firm, also reported earlier this year that over 90,000 WordPress-powered sites were backdoored with malicious code.