Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Jun 2015 15:56:42 -0700
From: Dean Pierce <>
Subject: Joomla! Administrator -> web shell esclalation

I'm not sure if this is more of a bug or an exploitation technique
(depending on Joomla's threat model), but once you have obtained
Administrator or Super User access to a Joomla server, you can
escalate to a shell on the server.

In the "media manager" options, you can add to the list of allowed
file extensions.  Interestingly, if you try adding "php" to the
allowed file extensions, it still won't let you upload a web shell.

As it turns out, mod-php, by default on Ubuntu, will execute any files
with an extension that matches this regex : "^.ph(p[345]?|t|tml|ps)$"
If you rename your webshell shell.php3, and add "php3" to the allowed
file extensions, and it will upload just fine.

Possible fixes include tweaking the hardcoded blacklist such that it
matches the default mod-php regex, not serving uploads directly from
the web root, requiring shell access to modify the extension allow
list, etc.

Sent a bug report to Joomla! Security Strike Team on June 2nd, no response.

  - DEAN

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.