Inadequate filtering in the Joomla media manager component leads to the ability to bypass file type upload restrictions resulting in arbitrary code execution.
- The attacker uploads a PHP file via the Joomla media manager. The filename has a trailing dot on the file extension, such as ‘code.php.’ which bypasses file type restrictions. After the file uploads, Joomla removes the trailing dot.
- The attacker accesses the uploaded PHP file in ‘/joomla/images/code.php’ and executes the PHP code on the server. The attacker has gained remote code execution.
The attacker must have access to the media manager component, either through unauthenticated access due to a poorly configured Access Control List or through possession of valid user credentials.
Inadequate filtering in the Joomla media manager component leads to the ability to bypass file type upload restrictions resulting in arbitrary code execution. This vulnerability exists in versions 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.