In our blog, you will find articles on various IT security related topics, such as open penetration tests, public threat analyses, and analyses of other interesting topics.

In this blog post, we describe our second pro bono penetration test focusing on the top-10 extensions of the popular content management system (CMS) Joomla. In contrast to our first pro bono penetration test, we had a much wider scope due to 10 different CMS extensions. Therefore, we have decided to do an empirical study. In total, we responsibly reported 103 vulnerabilities.

In September 2019, we were happy to announce our pro bono penetration test program for web and single sign-on applications. Our first candidate was the KeePass compatible password manager KeeWeb. In this blog post, we describe our second pro bono penetration test focusing on the top-10 extensions of the popular content management system (CMS) Joomla.

Why We Selected Joomla

Historically, we have a long term relationship with Joomla’s security team lead David Jardin. Known from previous projects like SIWECOS, we are confident that David and his team do a good job in developing a secure CMS. However, after a discussion with David we came to the conclusion that third party extension developers may not be aware of security mechanisms provided by the CMS.

CMS extensions allow developers to easily include payment gateways, backup tools, and social media components. Due to the extended functionality, it is not surprising that such an expansion of complexity implies a bigger attack surface. In contrast to CMS core systems, extensions are usually not considered during public security audits. However, Cross-Site Scripting (XSS) or SQL Injection (SQLi) attacks within an enabled extension have the same effect on the security of a CMS as similar issues within the core itself. Therefore, vulnerabilities within extensions are a very attractive tool for malicious parties.

Summary of Our Results

We discovered that nearly every second instance of Joomla also includes Joomla's official top-10 rated extensions. More importantly, we have detected that every single one of the official top-10 rated extensions is vulnerable to XSS and 30% of them to SQLi. We show that our findings are not only relevant to Joomla; two of the analyzed extensions are available within systems like WordPress or Drupal, and introduce the same vulnerabilities in these CMS’s. We responsibly reported 103 vulnerabilities across multiple CMS’s whereas 86 vulnerabilities were discovered within Joomla extensions; Table 1 shows an overview of the official top-10 rated extensions and the discovered vulnerabilities. Last but not least, we pinpoint mitigation strategies that can be realized within extensions to achieve the same security level as the core CMS.

Table 1: Security analysis of the top-10 rated Joomla extensions in October 2018. The percentage of installations was calculatedby considering all 7,797 detected Joomla installations. By looking of the numbers of XSS issues, rXSS describes reflected, sXSS stored, and DOMXSS DOM-based vulnerabilities.
Joomla! ExtensionsIdentifying PathInstallationsrXSSsXSSDOMXSSSQLi
Akeeba Backup com_akeeba 59.6% 3 - - -
AcyMailing com_acymailing 34.4% 5 - - 1
Advanced Module Manager com_advancedmodules 12.4% - 1 - -
JEvents com_jevents 11.9% 5 2 - 1
eXtplorer com_extplorer 11.4% 6 - - -
Phoca Gallery com_phocagallery 4.7% 18 - - -
Community Builder com_comprofiler 3.6% 1 - - -
Ark Editor com_arkeditor 3.1% 2 5 - 1
Ozio Gallery com_oziogallery3 1.7% - 31 - -
Sigplus /media/sigplus 1.2% - 1 3 -

Example Vulnerability: Reflected XSS in JEvents

In JEvents, we discovered the following potentially vulnerable code

<input type="text" [...] value="<?php echo $this->keyword;?>" />

within the component file form_body.php. Due to the reason that the parameter $this->keyword is echoed directly without any escaping mechanism, we further investigated its origin. Our investigation led us to the components controller file (search.php) in which PHP code is used to process the request parameter keyword.

 

$keyword = $jinput->getString('keyword', '');
$upper_limit = 20;
if (JString::strlen($keyword) > $upper_limit) {
  $keyword    = JString::substr($keyword, 0, $upper_limit - 1);
}
$keyword = $db->escape($jinput->getString('keyword', ''));
[...]
$this->view->assign("keyword",$keyword);

search.php: PHP code is protecting the user against SQLi attacks and not against attacks in the HTML context.

At the beginning of the displayed code from search.php, the request parameter keyword is saved in the variable $keyword. Afterwards, the input is truncated to the predefined maximum length of 20 characters. However, instead of using the already truncated value, JEvents uses the original input value combined with a protection against SQLi vulnerabilities ($db->escape). The escaping to prevent SQLi does not protect against injection into the HTML code of the web page which makes it vulnerable to XSS. Finally, the value that is escaped in order to avoid SQLi is assigned to the view without any truncation.

The following malicious URI could be used to trigger an XSS payload:

/index.php/searchjevents?keyword=XSS" onfocus=alert(1) autofocus=

We break out of the attribute context with a double-quote sign and automatically execute arbitrary JavaScript code by triggering the event handler onfocus. Based on the privileges of the attacked user, it is possible to attack the complete Joomla installation as Joomla's frontend and backend reside on the same origin; for example, this might allow an attacker to get administrator privileges.

Download our complete empirical study about Joomla here [1].

Concluding Remarks

The security impact of extensions shows that highly-ranked extensions must receive as much attention as the CMS core system. Every extension should be critically reviewed before being published in the official directory. This should be done by dedicated security audits – one of Hackmanit’s main focuses – or carefully implemented automated security tools.

From a scientific point of view, it is also interesting to study the missing separation between Joomla’s core and its extension system. New research directions could study the possibility regarding the separation of both technologies, and develop multi-stage concepts of separating accessible data from the extensions and the core system. 

Overall, our findings prove that these directions should not only be followed by Joomla, but additionally, similar techniques and research directions should be studied in other CMSs, such as Drupal and WordPress.

Pro Bono Penetration Test Program

Are you involved with a non-commercial organization or the development of an open-source application and would like to participate in our pro bono program?

Get more information about how to become a pro bono candidate by reading our Pro Bono Penetration Test Program blog post.

Finished Pro Bono Penetration Tests:

 

Do you think the bugs described above are interesting and would you like to conduct a penetration test yourself? Have a look at our career page and see if there is an interesting job offer for you.

 


[1] M. Niemietz, M. Korth, C. Mainka, J. Somorovsky. Over 100 Bugs in a Row: Security Analysis of the Top-Rated Joomla Extensions, arXiv:2102.03131, 2021. URL: https://arxiv.org/pdf/2102.03131.pdf.