Vulnerability in Joomla
Unfortunately, we noticed that the older versions of Joomla contain a vulnerability, which presents a critical risk and allows hackers to easily hack Joomla sites.
What exactly is this vulnerability?
The vulnerability was reported by Joomla’s security team and is described as a “privilege escalation vulnerability”. In short, a user could elevate his privileges and become an administrator without the customer’s consent.
By calling index.php?option=com_users&view=registration, a hacker can create a new user. And by adding some extra fields in the registration form and by giving them a specific value, this user instantly gets all rights and can log in.
Once the hacker gets the necessary rights, he is free to access Joomla’s backend. Hackers usually want to access the server’s file system in order to install malicious scripts (and eventually run them).
How do hackers access your hosting account?
Many hackers take advantage of the basic template of the administration module. Hackers look for certainty and one thing they know for certain is that the “Bluestork” template comes with Joomla. We also noticed that many people think that the Bluestork template is the vulnerability, but that is not the case.
In Joomla’s administrator backend, you can easily edit templates. And this is how hackers manage to inject their own code in this template. Template files such as “index.php” and “error.php” often contain malicious code, but additional files are often installed too.
These files often contain scripts that send spam or attack other websites. Obviously, these are illegal practices that we must fight.
How can you solve this problem?
The security report confirms that the vulnerability is contained in all 1.6.x and 1.7.x versions of Joomla and also in versions 2.5.0, 2.5.1 and 2.5.2. The vulnerability has been fixed in Joomla 2.5.3.
We advise every Joomla user to upgrade to the latest version of the 2.5 release. Joomla 2.5.8 is currently the latest version. You can download it on the Joomla site.
It is essential that you upgrade as soon as possible. Otherwise, your site too might be hacked.
It is also very important to log into the administrator module and check if hackers managed to create fake users. If you notice users that should not be there, please delete them right away.
We also ask you to check the folder “administrator/templates/bluestork”. If you find any malicious files in there, please delete them. Please also check if the files of this template are compromised.
What if you cannot upgrade?
Even though we strongly recommend you to upgrade your Joomla installation, we understand that this is not always an option. Some “exotic” modules may not be compatible with newer versions, or the available technical resources may be insufficient to upgrade.
In that case, you can still limit the damage. Considering that hackers use the Bluestork template anyway to save their malicious data, you could simply deny all rights related to this folder so that hackers cannot upload new hacks in this folder.
This is not a definitive solution, which does not prevent hackers from using other folders or hacking into them. It is just a tip to limit “superficial” hacks.
You can do this by denying the write permissions for “administrator/templates/bluestork” or for the complete “administrator/templates” folder.
The same advice applies if you cannot upgrade: delete malicious users from the user management and delete compromised files and replace them with the original files.
Even though open source projects such as Joomla are usually very up-to-date, this is a fundamental issue that has an impact on many versions. We advise you to take immediate action and follow the advice above.
If you experience any difficulties in checking, upgrading or securing your Joomla installation, do not hesitate to get help from Combell’s support team. Our specialists will assist you with advice and information.