Bug in Joomla! Extension VirtueMart allows hacker to gain Super Admin access

Security researchers at Sucuri found a critical security vulnerability in  VirtueMart, a popular e-commerce extension for the Joomla which has been downloaded more than 3.5 million times.

The vulnerability allows a malicious user to easily gain super admin privilege. With the Super Admin access, the hacker has full control of the website.

Sucuri removed the technical details about the bug after receiving a request from the developer of VirtueMart.

"VirtueMart uses Joomla’s JUser class “bind” and “save” methods to handle user accounts information. That’s not a problem in it of itself, but this class is very tricky and easy to make mistakes with." Researcher wrote in Sucuri's blog post.

VirtueMart has claimed the bug is in Joomla. Researchers at Sucuri also believe the problem is on the Joomla class itself. However, few Joomla experts disagree with the VirtueMart and Sucuri.

"The vulnerability is in VirtueMart's amateurish use of JUser, not the JUser class itself. JUser is a low level API in Joomla! which expects filtered input." Nicholas Dionysopoulos, a contributer to Joomla Project, posted in a Facebook post.

"The modus operandi of programmatic user account creation in Joomla! is to first filter the input using JInput (typically through JFactory::getApplication()->input, not a new object instance), construct an array with only the keys you need and the pass this to JUser. "


The bug was discovered last week and have been fixed in the latest version of VirtueMart(v2.6.10).

Joomla 3.2.2 is vulnerable to SQL Injection and XSS


If your website is running Joomla 3.2.2, you should upgrade your CMS to the latest version.

A new version of Joomla v3.2.3 has been released to address more than 40 bugs and four security vulnerabilities.

One of the patched security flaws is SQL Injection, caused by Inadequate escaping, rated as High severity bug.  It affects versions 3.1.0 through 3.2.2.

Other two security bugs are Cross site scripting vulnerabilities, which have been rated as Medium severity bugs. 

The last one allows unauthorized logins via GMail authentication, caused by inadequate checking. It affects versions 2.5.8 and earlier 2.5.x and 3.2.2 and earlier 3.x.

It doesn't matter whether you do care about the 40 bugs but you always should consider the security fixes.  So, better update your cms immediately before attackers informing you by hacking your site.

Thousands of Joomla websites using JomSocial vulnerable to Remote Code Execution

Thousands of Joomla websites using JomSocial are vulnerable to Remote Code Execution vulnerability.  JomSocial is a social networking extension for Joomla CMS.

The extension is currently listed on the Joomla's Vulnerable Extension list.  The vulnerability is being exploited in the wild, several users have reported that someone had hacked into their website.

According to JomSocial, hackers breached JomSocial website by exploiting this vulnerability.  The security experts at JomSocial have spotted the attack and released a patch for this vulnerability.  While analyzing the vulnerability which is being exploited, they also discovered another critical vulnerability.

The vulnerability was discovered by a security researcher Matias Fontanini.  He notified JomSocial about the vulnerability.  At first, the team said that they have fixed the issue in the 3.1.0.1. However, researcher found 3.1.0.1 is also vulnerable.

Vulnerability Details:
The vulnerability is located in the 'photos' controller, 'ajaxUploadAvatar' task. The parameters parsed by the 'Azrul' plugin are not properly sanitized before being used in a call to the 'call_user_func_array' PHP function.

"This allows an attacker to execute arbitrary static class functions, using any amount of user-provided parameters."  An attacker can exploit this vulnerability by calling CStringHelper::escape function and execute arbitrary PHP code.

HTTP Request exploiting the vulnerability

More technical details about the vulnerability and exploit code is available here.

As you can see that exploit code is already publicly available, all JomScoial Admins are advised to upgrade to latest version of the extension (v3.1.0.4) as soon as possible.

Bangladesh National Commission for UNESCO and MoCHTA websites hacked

 

Sil3nt hack3r , a member of hacking crew called as Muslim Cyber Sh3ll'z, has breached multiple Bangladesh government websites and left those sites defaced.

The list of affected websites includes Ministry of Chittagong Hill Tracts Affairs, Bangladesh National Commission for UNESCO, BPSC Departmental Examination(portal.bpsc.gov.bd) and Cabinet Division(cabinet.gov.bd) .

The security breach was done few days ago but still few sites are not recovered by the admin and displays the defacement page.

We can still able to see the defacement page at 'www.bncu.gov.bd' and 'www.mochta.gov.bd/ck.htm'.

Apart from Bangladeshi government websites, the crew also defaced Indian government website(pcmcindia.gov.in) , Vietnam govt. (cti.gov.vn).

This is not the first time the Bangladesh National Commission for UNESCO being attacked.  It was defaced multiple times in the past ,  last month it was defaced by Rahm Anonymous.

*Outdated Joomla:
 At EHN, we have found those affected government websites are using outdated Joomla version 1.5 that has multiple critical vulnerabilities.