[Honeypot Alert] Mass Joomla Component LFI Attacks Identified

Joomla Component LFI Vulnerabilities

Joomla has hundreds of Controller components. Check out the Joomla Extension site for examples. Unfortunately, the vast majority of these components have LFI vulnerabilities. The vulnerability details are pretty much the same -

  • The vulnerable page is "index.php".
  • The "option" parameter is set to "com_xxxxxx" where xxxx is the vulnerable component name.
  • Input passed via the "controller" parameter is not properly verified before being used to include files.
  • By appending URL-encoded NULL bytes, an attacker can specify any arbitrary local file.

Here is an example OSVDB Search Query for a listing of these vulnerabiities.

Screen shot 2011-11-17 at 10.27.01 AM

Honeypot Attack Probes Identified

Our daily honeypot analysis has identified a mass scanning campaign aimed at various Joomla Component Local File Inclusion (LFI) Vulnerabilities. Here are a few example attacks taken from today's honeypot logs:

109.75.169.20 - - [17/Nov/2011:17:48:15 +0900] "GET /index.php?option=com_bca-rss-syndicator&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 224174.122.220.10 - - [17/Nov/2011:00:21:32 +0100] "GET /index.php?option=com_ckforms&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)"72.47.211.229 - - [17/Nov/2011:10:14:27 +0900] "GET /index.php?option=com_cvmaker&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 216180.235.131.131 - - [17/Nov/2011:01:34:54 +0900] "GET /index.php?option=com_datafeeds&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 222

Notice that various components are targeted in the "option" parameter and that the a directory traversal attack is used in the "controller" parameter. The LFI data is attempting to enumerate the OS shell environment data.

Attack Statistics

  • Number of attacks seen: 1538
  • Number of unique attack sources: 45

Top 25 Joomla Component LFI Attacker Sources

# of AttacksIP AddressCountry CodeCountry NameRegionRegion NameCity
491180.235.131.131AUAustralia
95210.173.154.35JPJapan
8674.50.25.165USUnited StatesCACaliforniaAnaheim
8091.121.87.48FRFrance
6769.27.109.40CACanadaSKSaskatchewanSaskatoon
5846.105.98.146FRFrance
58180.151.1.68INIndia07DelhiNew Delhi
5167.23.229.237USUnited StatesNYNew YorkNew York
4264.92.125.26USUnited StatesCOColoradoDenver
42182.255.0.200IDIndonesia
3982.192.87.86NLNetherlands07Noord-HollandAmsterdam
38174.122.220.10USUnited StatesTXTexasHouston
37178.162.231.59CACanada
3672.47.211.229USUnited StatesCACaliforniaCulver City
33122.201.80.95AUAustralia02New South WalesSydney
32174.37.16.78USUnited StatesTXTexasDallas
3164.13.224.234USUnited StatesCACaliforniaCulver City
27109.75.169.20GBUnited Kingdom
2565.98.23.170USUnited StatesCACaliforniaSan Francisco
2546.20.45.50DEGermany
24193.106.93.131RURussian Federation
1685.36.63.35ITItaly
1171.17.4.161CACanadaSKSaskatchewanLloydminster
1050.73.66.4USUnited States
9173.245.78.42USUnited StatesCACaliforniaFremont
892.60.124.128ESSpain

Joomla Components Targeted

Here is a listing of the various Joomla components that were targeted in today's attacks:

com_bca-rss-syndicatorcom_ccnewslettercom_ckformscom_cvmakercom_datafeedscom_dioneformwizardcom_dwgraphscom_fabrikcom_gadgetfactorycom_ganalyticscom_gcalendarcom_hsconfigcom_if_surfalertcom_janewscom_jfeedbackcom_joomlapicasa2com_joomlaupdatercom_joommailcom_jshoppingcom_juliaportfoliocom_jvehiclescom_jwhmcscom_linkrcom_mediqnacom_mmsblogcom_mscommentcom_mtfireeaglecom_ninjarsssyndicatorcom_onlineexamcom_orgchartcom_pcchesscom_propertiescom_rokdownloadscom_rpxcom_s5clanrostercom_sbsfilecom_sectionexcom_shoutboxcom_simpledownloadcom_smestoragecom_spsnewslettercom_svmapcom_sweetykeepercom_userstatuscom_webeecommentcom_weberpcustomercom_zimbcomment

Recommendations

If you are running Joomla applications, you should ensure that you are keeping up-to-date on patches and updates.

OWASP Joomla Vulnerability Scanner

OWASP has an open source Joomla Vulnerability Scanner Project that you should check out and run against your site.

OWASP ModSecurity Core Rule Set

The OWASP ModSecurity CRS includes generic directory traversal attack detections which should provide base level protections.

Commercial ModSecurity Rules From Trustwave

We have numerous virtual patches for Joomla applications including these Controller parameter LFI attacks in our commercial rules feed.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.