The Joomla! Local File Inclusion Vulnerability

This has been a huge security issue for quite some time, Joomla! websites are being hacked left, right and center because of this Local File Inclusion vulnerability.

What's the cause?

It basically boils down to some bad Joomla! documentation where there was a tutorial for creating a custom Joomla! component. In that tutorial was the hackers holy grail: an LFI hole in the official guide for writing extensions. Obviously this means that there will be hundreds, if not thousands of extensions written based on this documentation, which in turn means they all have inherited the LFI vulnerability.

The example below is where the problem is, the JRequest::getVar() function is retrieving data from the $_REQUEST array and developers are assuming that because there is a custom Joomla! interface for the $_REQUEST array, it must be filtering out evil user inputs.

PHP Code <?php

if($controller JRequest::getVar('controller')) {
    require_once (
JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}

?>

Of course this is not the case, nothing is being filtered and that leaves the extension wide open to an LFI vulnerability.

The solution

Instead of using JRequest::getVar(), the solution is to use JRequest::getWord() (allowing only A-Za-z_) or JRequest::getCmd() (allowing only A-Za-z0-9.-_). Personally I use getWord() because it's more restrictive and I tend not to use numbers, decimal points or hyphens in controller names.

PHP Code <?php

if($controller JRequest::getWord('controller')) {
    
// now we know $controller can only contain A-Za-z_
    
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}

?>

The damage

To rub salt into the wound, a lot of coders believe that because .php is appended to the user input to include the script, then it is secure because any evil input will have the .php extension appended and therefore the PHP interpreter will not find the file. I have seen an example of this thought process on a public forum. These people are unaware that there is a character that can be added to the evil input which will terminate the filename and effectively remove the .php extension, giving the attacker access to any file on the filesystem.

The most common evil input for this attack is the /etc/passwd one where on a Linux server, the server's user list will be sent to the attacking client. With the right request and server configuration, an attacker can turn this LFI into a Remote File Inclusion (RFI) exploit and even execute server processes and commands.

There is also a chain reaction whereby developers have created their own tutorials off the back of this one and so there are some example extensions which have the LFI hole in. The extent of the damage can be seen in the Joomla! Vulnerable Extensions List.

Comments

There are 0 responses. Why not add a comment? No registration required.

Leave a Comment

Enter Code

Refresh code

Menu

Firefox Addons