Joomla Component LFI Vulnerabilities
Joomla has hundreds of Controller components. Check out the Joomla Extension site for examples. Unfortunately, the vast majority of these components have LFI vulnerabilities. The vulnerability details are pretty much the same -
- The vulnerable page is "index.php".
- The "option" parameter is set to "com_xxxxxx" where xxxx is the vulnerable component name.
- Input passed via the "controller" parameter is not properly verified before being used to include files.
- By appending URL-encoded NULL bytes, an attacker can specify any arbitrary local file.
Here is an example OSVDB Search Query for a listing of these vulnerabilities.
Honeypot Attack Probes Identified
Our daily honeypot analysis has identified a mass scanning campaign aimed at various Joomla Component Local File Inclusion (LFI) Vulnerabilities. Here are a few example attacks taken from today's honeypot logs:
109.75.169.20 - - [17/Nov/2011:17:48:15 +0900] "GET /index.php?option=com_bca-rss-syndicator&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 224
174.122.220.10 - - [17/Nov/2011:00:21:32 +0100] "GET /index.php?option=com_ckforms&controller=../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)"
72.47.211.229 - - [17/Nov/2011:10:14:27 +0900] "GET /index.php?option=com_cvmaker&controller=../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 216
180.235.131.131 - - [17/Nov/2011:01:34:54 +0900] "GET /index.php?option=com_datafeeds&controller=../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 222
Notice that various components are targeted in the "option" parameter and that the a directory traversal attack is used in the "controller" parameter. The LFI data is attempting to enumerate the OS shell environment data.
Attack Statistics
- Number of attacks seen: 1538
- Number of unique attack sources: 45
Top 25 Joomla Component LFI Attacker Sources
| # of Attacks | IP Address | Country Code | Country Name | Region | Region Name | City |
|---|---|---|---|---|---|---|
| 491 | 180.235.131.131 | AU | Australia | |||
| 95 | 210.173.154.35 | JP | Japan | |||
| 86 | 74.50.25.165 | US | United States | CA | California | Anaheim |
| 80 | 91.121.87.48 | FR | France | |||
| 67 | 69.27.109.40 | CA | Canada | SK | Saskatchewan | Saskatoon |
| 58 | 46.105.98.146 | FR | France | |||
| 58 | 180.151.1.68 | IN | India | 07 | Delhi | New Delhi |
| 51 | 67.23.229.237 | US | United States | NY | New York | New York |
| 42 | 64.92.125.26 | US | United States | CO | Colorado | Denver |
| 42 | 182.255.0.200 | ID | Indonesia | |||
| 39 | 82.192.87.86 | NL | Netherlands | 07 | Noord-Holland | Amsterdam |
| 38 | 174.122.220.10 | US | United States | TX | Texas | Houston |
| 37 | 178.162.231.59 | CA | Canada | |||
| 36 | 72.47.211.229 | US | United States | CA | California | Culver City |
| 33 | 122.201.80.95 | AU | Australia | 02 | New South Wales | Sydney |
| 32 | 174.37.16.78 | US | United States | TX | Texas | Dallas |
| 31 | 64.13.224.234 | US | United States | CA | California | Culver City |
| 27 | 109.75.169.20 | GB | United Kingdom | |||
| 25 | 65.98.23.170 | US | United States | CA | California | San Francisco |
| 25 | 46.20.45.50 | DE | Germany | |||
| 24 | 193.106.93.131 | RU | Russian Federation | |||
| 16 | 85.36.63.35 | IT | Italy | |||
| 11 | 71.17.4.161 | CA | Canada | SK | Saskatchewan | Lloydminster |
| 10 | 50.73.66.4 | US | United States | |||
| 9 | 173.245.78.42 | US | United States | CA | California | Fremont |
| 8 | 92.60.124.128 | ES | Spain |
Joomla Components Targeted
Here is a listing of the various Joomla components that were targeted in today's attacks:
com_bca-rss-syndicator
com_ccnewsletter
com_ckforms
com_cvmaker
com_datafeeds
com_dioneformwizard
com_dwgraphs
com_fabrik
com_gadgetfactory
com_ganalytics
com_gcalendar
com_hsconfig
com_if_surfalert
com_janews
com_jfeedback
com_joomlapicasa2
com_joomlaupdater
com_joommail
com_jshopping
com_juliaportfolio
com_jvehicles
com_jwhmcs
com_linkr
com_mediqna
com_mmsblog
com_mscomment
com_mtfireeagle
com_ninjarsssyndicator
com_onlineexam
com_orgchart
com_pcchess
com_properties
com_rokdownloads
com_rpx
com_s5clanroster
com_sbsfile
com_sectionex
com_shoutbox
com_simpledownload
com_smestorage
com_spsnewsletter
com_svmap
com_sweetykeeper
com_userstatus
com_webeecomment
com_weberpcustomer
com_zimbcomment
Recommendations
If you are running Joomla applications, you should ensure that you are keeping up-to-date on patches and updates.
OWASP Joomla Vulnerability Scanner
OWASP has an open source Joomla Vulnerability Scanner Project that you should check out and run against your site.
OWASP ModSecurity Core Rule Set
The OWASP ModSecurity CRS includes generic directory traversal attack detections which should provide base level protections.
Commercial ModSecurity Rules From Trustwave
We have numerous virtual patches for Joomla applications including these Controller parameter LFI attacks in our commercial rules feed.
