We have just released the September 2014 signature update for the new version of Trustwave Web Application Firewall, version 7.0.
Joomla Content Editor (JCE) Unrestricted File Upload and Code Execution Vulnerability
JCE extensions for Joomla prior to version 2.0.11 contain multiple security vulnerabilities that allow remote attackers to execute arbitrary code by uploading executable files to the server.
Joomla Content Editor (JCE) File Upload and Code Execution Vulnerability
Earlier this year, SpiderLabs issued a Honeypot alert warning about an increase in exploitation attempts of a file upload vulnerability in JCE extensions for Joomla. Attackers can exploit this vulnerability to execute code on the server and potentially gain full control of the server and the application.
Note that some of the attack attempts were already detected by file uploads ("PHP Injection") and payload obfuscation ("Obfuscation Attempt") signatures. Since the increase of scanning and exploitation efforts continues as indicated by the Web Honeypots logs and research sites, we are releasing an online update to better classify such malicious activity and allow for finer grained blocking policy actions based on this specific exploit attempt.
How to Update
No action is required of customers that run version 7.0 of Trustwave Web Application Firewall and subscribe to the online update feature. Their deployments will receive the update automatically.
Note that even if blocking actions are defined for a protected site, simulation mode for this rule is ON by default so that site managers can inspect the impact of new rules before actual blocking takes place. If you would like to activate blocking actions for this rule, you need to update the Actions for this signature in the Policy Manager.