Joomla CMS hacks by using vulnerability in com_fabrik

Written by - 4 comments

Published on - Listed in Internet PHP Hacks Security


This month I've already had two cases where a Joomla website has been attacked and hacked. 

A security vulnerability was used to upload a PHP shell, which then was used to upload complete fake websites. These fake websites turned then out to be Phishing websites (what else...):

Paypal Phishing Website uploaded through vulnerability

PayPal phishing website through a vulnerability in the Joomla module com_fabrik

But how did the hacker upload the PHP shell?

After checking and comparing both hack attempts two conclusions could be made:
- The hack-attack was automated, both logs showed the EXACT same way of uploading the PHP shell, just from different IP addresses.
- The vulnerability must come from a module called com_fabrik which allows to upload CSV files. A forged CSV file must have been uploaded or the upload form was 'tricked' to upload a non-csv file.

Here some lines from the log:

41.233.160.99 - - [02/Jan/2012:01:27:31 +0100] "GET /index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1 HTTP/1.1" 200 9297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:27:50 +0100] "POST /index.php?option=com_fabrik HTTP/1.1" 303 - "http://www.example.com/index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:27:56 +0100] "GET /index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=1&Itemid=0 HTTP/1.1" 200 9557 "http://www.example.com/index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:28:03 +0100] "GET /media/ASS.php HTTP/1.1" 401 54 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

After a quick research, this vulnerability seems to be the one described in the vulnerability report #342 of 2011-11-26: Joomla com_fabrik - Remote File Upload Vulnerability. But what is even more intriguing is the fact, that there have been other exploits before and there will probably be others in the future.

On the developer website the latest version mentioned on the blog is 2.1 and and mentions important security fixes - but that post was in July 2011.

On the download page several versions exist (3.0.3 from January 25th 2012 and 2.1.1 from September 26th 2011). Unfortunately there is no Changelog attached, so it is not known whether this particular vulnerability has been fixed or not.

My advise: Don't use this module. It seems to be too insecure for production environments.

Update February 5th 2012:
As you can see in the comments below this post, I was contacted by a developer of com_fabrik. The security hole I was writing about was fixed in version 2.1.1. In the other version, 3.x, this vulnerability never existed. Joomla users, which use com_fabrik, are strongly encouraged to update com_fabrik as soon as possible! It seems that since Joomla 2.5 the plugins like com_fabrik can be updated automatically, without having to download and update files manually.


Add a comment

Show form to leave a comment

Comments (newest first)

Claudio from Switzerland wrote on Feb 4th, 2012:

That already sounds much better. Problem though: Users, who got Joomla installed, usually don't care about updates. For them it's a "once installed, then it runs" installation. That's the problem with CMS systems and users. Administrators follow such security advices, (web-) users don't. But it's good to know that this has been improved. I'll update my post about the security fix and the possibility (since Joomla 2.5) for automatic updates.


Hugh Messenger from wrote on Feb 4th, 2012:

To quote from our exchange on Google+ just now:

The latest version of Joomla (2.5) implements one-click upgrading of plugins, and we supported that from the get go, as of our 3.0.3 release (when Joomla updated from 1.7 to 2.5). The admin is shown a list of any plugins for which there are upgrades available, and simply has to accept them with a single click.

For a variety of reasons, this is not possible prior to Joomla 2.5 (or the interim, short-life 1.7), so the Joomla 1.5 / Fabrik 2.x series will not be able to support automated updates. Which is why we strongly encourage our users to keep their email address with us up to date, so we can let them know whenever there are critical updates available.


Providing an fully automatic update service is not practical with Fabrik, as Fabrik itself is an "application builder", not a one-purpose plugin. So the admin needs to be aware of what parts of Fabrik have been updated, and any potential impact on his/her specific application, before they update.


Claudio from Switzerland wrote on Feb 4th, 2012:

Hello Hugh,
I appreciate your comment! Thanks for sharing this information. As I'm not a Joomla professional, is it possible to update automatically the module com_fabrik? Many users, like in this described hack-case, aren't professionals and don't know how to unpack and upload zip files. In Wordpress for example, installed plugins and themes can be upgraded by just clicking on a link. It would be a great security enhancement if that were the case, not only with com_fabrik but with every module.
If there is an automatic update possibility, can it be launched via cronjob or similar?


Hugh Messenger from wrote on Feb 4th, 2012:

Hi,

I\'m one of the authors of Fabrik. Just wanted to let you know this security hole was fixed in our 2.1.1 release in Sept 2011, and has never affected any of the 3.x releases. We publicized the fix, and the urgency of the need to update, as widely as we could, including mailing all our registered users.

Anyone unsure as to what version they are running or having issues upgrading should visit our forums at the website on this comment, and we\'ll be glad to assist them.

If anyone running 2.1.1 or greater still thinks they have been hacked, we urge them to let us know on our forums, or email me directly at the address below, and we\'ll investigate immediately.

-- hugh
--
Hugh Messenger
hugh.messenger@gmail.com


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Observability   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder