Joomla CMS is Vulnerable to Arbitrary File Upload

ITS Advisory Number: 
2013-070
Date(s) Issued: 
Monday, August 5, 2013
Subject: 
Joomla CMS is Vulnerable to Arbitrary File Upload
Overview: 

Joomla! Content Management System (CMS) is prone to a vulnerability that could allow an attacker to upload arbitrary files, which could completely compromise the website running the Joomla! CMS. Joomla! is an open source content management system for websites. Successful exploitation could allow an attacker to control the web server; view, change, or delete data; and perform a defacement.

Systems Affected: 
  • Joomla! version 2.5.13 and earlier 2.5x versions
  • Joomla! version 3.1.4 and earlier 3.x versions
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Joomla! Content Management System (CMS) is prone to a vulnerability that allows attackers to upload arbitrary files bypassing file type upload restrictions.  This is due to the failure of properly validating .php' file extensions being uploaded.

Specifically, this issue affects the administrator/components/com_media/helpers/media.php script.

The 'media.php' page is used for managing media files or folders. 

An attacker can exploit this vulnerability by crafting a specially crafted file and uploading it to the web server through the compromised application. Successful exploitation could allow an attacker to control the web server; view, change, or delete data; and perform a defacement.

'
Actions: 
  • Update vulnerable systems running Joomla! immediately after appropriate testing.
  • Confirm that the operating system and all other applications on the system are updated with the most recent patches.
  • Unless there is a business need, do not allow for the uploading of files using the website.
  • If uploading of files is necessary, consider restricting file permissions to upload to directories that prevent execution of files.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
References: 
Joomla:
http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads
http://www.joomla.org/announcements/release-news/5506-joomla-2-5-14-released.html
http://www.joomla.org/announcements/release-news/5505-joomla-3-1-5-stable-released.html
JoomlaCode.org:
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626
Securityfocus:
http://www.securityfocus.com/bid/61582