Joomla JomSocial Remote Code Execution Vulnerability
The JomSocial team just released an update that fixes a very serious remote code execution vulnerability that affects any JomSocial version older than 220.127.116.11. From their hot-fix update:
Yesterday we released version 18.104.22.168 which fixes two vulnerabilities.
As a result of the first vulnerability, our own site was hacked. Thankfully, our security experts spotted the attack very quickly and our developers raced out a patch. The information of how to exploit this vulnerability can be found easily by hackers, so you should upgrade right away, to protect your site.
While we were blocking that attack, we also spotted another vulnerability: the opportunity to exploit CStringHelper::escape function to execute eval method. With this new fix, hackers will no longer be able to execute eval function. It’s all a bit technical, but the point is: it’s fixed and we were able to prevent a potential problem.
JomSocial is a widely used component on Joomla and there are thousands of sites vulnerable to it right now. Yes, there is currently an exploit being disseminated amongst the attackers and actively being used. All JomSocial site admins are encouraged to upgrade to this version as soon as possible!
Exploit in the Wild
The vulnerability is very recent, but we are already seeing thousands of requests looking for it on our website firewall. The exploit starts with a simple search (a POST request) for “option=com_community&view=frontpage”. That allows the attackers to see if the component is enabled or not depending on the return code (200 for success or 404 for not found).
If the component is available the attackers will proceed to the exploit phase with a code similar to this one:
&arg4= [\x22_d_\x22,\x22%7B%22call %22%3A%5B%22CStringHelper%22%2C%22 escape%22%2C%20%22%40exit%28%40eval %28%40base64_decode %28% ..
This allows the attackers to execute any command they want on the vulnerable site. We are collecting the attackers IP addresses and will provide better statistics on the growth of the attack over the coming days.
Sucuri Users Protected
One thing that gives us great joy is to be able to say that if you are using our web site firewall, you can be assured that you are protected already.
Our generic RCE (command execution) rules were already blocking this exploit, but we also added custom protection for this specific vulnerability and variations. If you are using this extension and are worried that you are vulnerable, try our firewall out.