Vulnerability in Akeeba Backup and Joomla!


    The vulnerability allows a remote attacker to extract an archive stored somewhere remotely onto an attacked site while unpacking a backup copy or installing updates, depending on the settings. The very presence of a vulnerability does not allow it to be used. An attacker should attack exactly at the time when the backup archive is extracted or the Joomla update package is installed!

    Affected Software Versions

    • Akeeba Backup for Joomla! Professional, version 3.0.0 and higher, including 4.0.2
    • Akeeba Backup Professional for WordPress, 1.0.b1 and higher, including 1.1.3
    • Akeeba Solo, 1.0.b1 and higher, including 1.1.2
    • Admin Tools Core and Professional, version 2.0.0 and higher, including 2.4.4. Later versions are not affected, as they do not include Joomla! update.
    • Akeeba CMS Update, version 1.0.a1 and higher, including 1.0.1
    • Joomla! 2.5, 3.0, 3.1, 3.2, 3.3 and above, including 3.3.4

    Operating principle

    The system for restoring backups and service packs uses the restore.php file. In order to protect against outside influences, before unpacking, the restoration.php file is created containing the authentication key, which is used to sign commands to restore.php. Unsigned commands restore.php rejects. restore.php accepts _only_ commands when the restoration.php file exists. The restoration.php file is automatically deleted immediately after the operation of extracting the archive or unpacking the update package is completed.

    The vulnerability allows you to bypass encryption and send restore.php arbitrary commands. An attacker can send a specially formed command that will allow you to unpack the remote archive to your site.

    Of course, the vulnerability requires URL resolution in the fopen () function and writing to disk on the attacked machine.

    Vulnerability Elimination

    Also popular now: