Joomla! Content Management System (CMS) is prone to a vulnerability that could allow an attacker to upload arbitrary files, which could completely compromise the website running the Joomla! CMS. Joomla! is an open source content management system for websites. Successful exploitation could allow an attacker to control the web server; view, change, or delete data; and perform a defacement.
- Joomla! version 2.5.13 and earlier 2.5x versions
- Joomla! version 3.1.4 and earlier 3.x versions
Joomla! Content Management System (CMS) is prone to a vulnerability that allows attackers to upload arbitrary files bypassing file type upload restrictions. This is due to the failure of properly validating .php' file extensions being uploaded.
Specifically, this issue affects the administrator/components/com_media/helpers/media.php script.
The 'media.php' page is used for managing media files or folders.
An attacker can exploit this vulnerability by crafting a specially crafted file and uploading it to the web server through the compromised application. Successful exploitation could allow an attacker to control the web server; view, change, or delete data; and perform a defacement.'
- Update vulnerable systems running Joomla! immediately after appropriate testing.
- Confirm that the operating system and all other applications on the system are updated with the most recent patches.
- Unless there is a business need, do not allow for the uploading of files using the website.
- If uploading of files is necessary, consider restricting file permissions to upload to directories that prevent execution of files.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.