Torkil Johnsen

My personal piece of cyberspace

Mambo and Joomla exposed as script kiddies have their summer holidays

Posted in Content management by tj on the July 19th, 2006

Both Mambo and Joomla have in the recent weeks had their skirts lifted by hackers who have found vulnerabilities in the sourcecode and started taking advantage of this. I have seen everything from simple defacings to the more advanced eggdrop plantations and DDoS attacks. After finding vulnerabilities in both the Mambo and Joomla cores, the fairytale continued with the discovery of several components and modules that had holes in them too. Here is a short list of components and modules you should avoid, or patch or remove completely if you have them installed:

Background
I work for a company that has quite a few Joomla clients, and a few of these got hacked over the passed few days. These attacks ranged from the annoying but harmless defacings up to the more hostile server takeover attempts. A skilled and dedicated guy at our hosting provider (kudos to Sigurd there) tracked down some of these script kiddies and got some info off them. Among other things, the URL for the site they use to check for new scripts they can use to hack people.

Being a very unexperienced hacker, I had never heard of this site. So I visited their favourite hacks list and compiled a small list over Mambo and Joomla components and modules I could find that were listed and targetted for attack. So if you are currently using one or more of these, you should uninstall, delete, patch or whatever you want to do. Just don’t leave it unchanged, cause it might be a gaping hole into your website and ultimately your webserver.

Here’s the list, updated with version numbers you can check against your own:

  • com_videodb < = 0.3en
  • SMF Forum Mambo Component < = 1.3.1.3
  • extcalendar < = 2.0
  • com_loudmouth < = 4.0j
  • pc_cookbook < = 0.3
  • per_forms < = 1.0
  • MiniBB < = 1.5a
  • com_hashcash < =1.2.1
  • HTMLarea3 < = 1.5
  • Sitemap < = 2.0
  • pollxt < = 1.22.07
  • SimpleBoard < = 1.1.0
  • com_forum < = 1.2.4 RC3
  • galleria < = 1.0b
  • Pearl for Mambo < = 1.6
  • CBSMS < = 1.0
  • multibanners < = 1.0.1
  • Mam-Moodle < = alpha
  • MoSpray < = 1.8RC1

And some more, not from the script kiddies hotlist, but from the Joomla forums:

  • Mambo Comspray (mospray) < = 1.8 RC1
  • Mosets Tree < = 1.58
  • com_multibanners (unknown version)
  • BSQ Sitestats < = 2.1.0
  • JoomlaLib < = 1.2.1 Beta
  • OpenSEF 2.0.0 RC5
  • Google PageRank Module < = v1
  • JoomlaBoard < = 1.1.1
  • PHP Event Calendar < = 1.4
  • Advanced Poll < = 2.20
  • Jombook (unknown version)
  • mosMedia < = 1.0.8

Take action
Visit the Joomla/Mambo extensions sites and look for updates. The Joomla 3rd party security forum is a good place to start.

If you are a producer of a 3rd party component to any of these Content Management Systems you should read up on the Mambo or Joomla forums about these vulnerabilities to make sure your component is still safe to use. If you are a user of 3rd party software in relation to Mambo or Joomla, now is the time to contact the software developers and ask them if they have done their job properly. (after giving them credits for their great software first ofcourse!)

Disclaimer: I have not tested any of these hacks or checked for upgrades on any of these components or modules. I’m just telling you what I read. Stuff like extcalendar has already gotten me into alot of trouble, since it has this nice “powered by extcalendar” at the bottom, making it easy to find hackable sites by doing a simple google search.

Technorati Tags: , , , , ,

9 Responses to 'Mambo and Joomla exposed as script kiddies have their summer holidays'

Subscribe to comments with RSS or TrackBack to 'Mambo and Joomla exposed as script kiddies have their summer holidays'.

  1. Bjørn Are Solstad said,

    on July 19th, 2006 at kl. 17.09

    Yup. We have had 3 sites hacked the last couple days. Simple defacings as far as I have seen so far though. The hackers that attacked us, was some islam group spreading their propaganda.

  2. tj said,

    on July 19th, 2006 at kl. 17.12

    I have seen stuff far worse than simple defacing, so you should let your hosting provider know about this and have them check the server. Some simple suggestions are outlined in this thread:

    http://forum.joomla.org/index.php/topic,76551.0.html

  3. Elpie said,

    on July 22nd, 2006 at kl. 18.04

    ExtCalendar & MiniCal have been updated for both Mambo and Joomla.
    Details and download links are here: http://forum.mamboguru.com/showthread.php?t=318

    The only ExtCalendar addon not yet updated is the Latest Events module. It is recommended that this be entirely removed from servers as there are some significant vulnerabilities with “Latest Events”.

  4. Top Five Things That Brought Down Lieberman’s Web Server »Rotophonic« said,

    on August 9th, 2006 at kl. 3.49

    […] The most recent serious problem with the Com_ExtCalendar component was discovered very recently–on July 7th, 2006. This issue would allow a hacker to deface or even overwrite the entire configuration file for the site. Others have written about “script kiddies” spending their summer vacations attacking Joomla sites, including those with this component. Geary told TPMmuckraker that, “We have nobody with a security background helping with this. It’s just us, what we know, how we work with our server network.” I read this as, “We just use the webserver control panel and know how to upload stuff via FTP.” […]

  5. Freddy Egersdorfer said,

    on July 11th, 2007 at kl. 17.17

    It seems someone has found a way to get into my administration. So far they are uploading huge amounts of content into my hosting server and I find that they hide the folders, sometimes as so that my hosting co. can not find them.

    Please help as I do not know how to upgrade properly, really scared about losing all my content. I’m so far using 1.0.10.

  6. tj said,

    on July 12th, 2007 at kl. 11.10

    Script kiddies do not need administration access to upload and hide folders, so you should not assume that they have admin access, but that is besides the point at this time.

    Hackers could just as easily have gotten in through another application or even another website if you are using a shared hosting service. The only way to find that out is to go through the webserver logs, which your hosting co. should do.

    What you need to do, regardless of what your hosting company does, is:

    a) Secure your data.
    You probably do not want to lose your data that you have worked alot to accumulate. So make backups of your database and the files you might have uploaded or modified. Typical folders you would want to backup is your images folder and your templates folder. Joomla core files are not important, unless you have made modifications to them.

    You might end up backing up some data that the hackers have put there, so after you have made the backup you should go through the data to ensure that it is in fact your data.

    b) Go through your installed components, mambots and modules.
    Compare their version numbers with the ones you find on the extension websites, for instance on extensions.joomla.org. Download the most recent versions of the stuff you have installed. Using old extensions that might have known security holes is a big security risk.

    c) Consider switching hosting companies
    If your hosting company is unable to stop what ever is happening to the server you should reconsider using their service, and you should at least demand to be moved to another server that is not compromised. If the hosting company will not set up a new account for you, you should consider switching host.

    Do a fresh Joomla install, using the latest Joomla version available in the 1.0 series (1.0.12 at this time). Also: Install new versions of the components you had on your old site, if new versions are available.

    Alot of other security tips and measures plus help and assistance can be found in the Joomla security forums.

    Hope this helps!

    - Torkil

  7. abby lim said,

    on December 22nd, 2007 at kl. 17.28

    i’d like to add com_poll component in joomla 1.5
    recently been bugged by an irc — eggdrop
    hackers attempting to use our server to use it as irc

  8. Ian Wright said,

    on January 11th, 2008 at kl. 7.16

    I am using Joomla 1.0.13, virtue mart 1.0.13a and have almost no other extensions added to my site, but still i have had my site hacked into. They hacked in sometime in October according to the file dates, and left a small directory called com_uk in the public_html/components directory.

    It was a file manager script, allowing anybody to visit that page and have all the info about my site, no idea how they gained access, as all the permissions were correct etc.

    I have now found that 4 of my sites were email spammers, and also had open access. I then found a small text file in another directory that had links to other sites with the file manager, 2 of them were mine on my other servers.

    It is getting to the stage where I’m seriously wondering if using Joomla is the best idea as a commercial sense. I have never minded paying for scripts, as i sell them at the end of the day. So i have already started looking for commercial components.

    Do you think encrypting the configuration.php file in ioncube would help, or can ioncube be cracked?

    All the best
    Ian

  9. tj said,

    on January 11th, 2008 at kl. 10.47

    Remember that gaining access to configuration.php is just one way you can do harm here. There are lots of other things that can happen, including as you say e-mail spammers, so I don’t think ioncube should make you sleep better. Anything can be cracked, even ioncube. A quick google search found this for instance: http://blog.php-security.org/archives/14-PHP-Encoders-Protection-where-are-you.html

Leave a Reply