Vulnerability in Akeeba Backup and Joomla!
Description
Vulnerability allows a remote attacker to extract an archive stored somewhere remotely on the attacked site while unpacking a backup or installing updates, depending on the settings. The existence of a vulnerability does not allow using it. An attacker should attack precisely at the time when the backup archive is extracted or the Joomla! Update package is being installed.
Software Affected Software Versions
- Akeeba Backup for Joomla! Professional, version 3.0.0 and higher, including 4.0.2
- Akeeba Backup Professional for WordPress, 1.0.b1 and higher, including 1.1.3
- Akeeba Solo, 1.0.b1 and higher, including 1.1.2
- Admin Tools Core and Professional, version 2.0.0 and higher, including 2.4.4. Later versions are not affected, as they do not include Joomla! update.
- Akeeba CMS Update, version 1.0.a1 and higher, including 1.0.1
- Joomla! 2.5, 3.0, 3.1, 3.2, 3.3 and higher, including 3.3.4
Operating principle
The system for restoring backups and service packs uses the restore.php file. In order to protect against influence from outside, before unpacking, a restoration.php file is created containing the authentication key that is used to sign commands to restore.php. Unsigned commands restore.php rejects. restore.php accepts the _only_ commands when the restoration.php file exists. The restoration.php file is automatically deleted immediately after the operation of extracting the archive or unpacking the update package is completed.
Vulnerability allows you to bypass encryption and send arbitrary commands to restore.php. An attacker can send a specially formed command that allows unpacking a remote archive to your site.
')
Of course, the vulnerability requires the permission of the URL in the fopen () function and writing to disk on the attacked machine.
Vulnerability elimination
- Use the Akeeba update from their site www.akeebabackup.com/home/news/1605-security-update-sep-2014.html
- Refresh Joomla! up to version 3.3.5 www.joomla.org/announcements/release-news/5567-joomla-3-3-5-released.html
Source: https://habr.com/ru/post/238745/
All Articles