Paladion recently discovered vulnerabilities in extensions for the content management system Joomla that could leave users exposed to hackers. As an open source software, Joomla has more than 2 million live users and contributors. Its popularity has also prompted other coders and companies to produce more than 8,000 extensions to offer additional handy features. However, in certain cases, use of some of these extensions exposed users to security risks and attacks.
As part of its continual, intensive cybersecurity monitoring and research, Paladion found instances of data not being validated when being exported from Joomla extensions to a CSV file format. Paladion security expert Suresh Narvaneni, who found the flaws, said, “This vulnerability made it possible for an attacker to spread malware via spreadsheets such as Microsoft Excel and LibreOffice Calc. Unauthorized remote machine access was also possible.”
Suresh identified the issue in specific Joomla extensions from Acyba and notified Joomla immediately. In addition, a missing validation on a URL field when creating a new company record and a vulnerability to cross-site-scripting (XSS) were found in the JS Jobs extension from Joom Sky.
Joomla then contacted the developers for the extensions concerned, with issues being fixed within one day. Joomla also published a note on the vulnerability. The note related how special characters in exported data could be interpreted as formulae (CSV formula injection) or as commands to open programs such as Windows Power Shell.
Suresh added, “An additional risk was the exfiltration of data from spreadsheets. Yet another was the tendency of users to ignore security warnings in spreadsheets they believe to be safe because they download them from their own websites.”
Using the information from Paladion, extension developer Acyba rapidly released a patchto protect exports of data destined for Excel. Extension developer Joom Sky also released a patch for JS Jobs. For the following Joomla extensions, Paladion recommends users take these actions: for AcySMS, update this extension to version 3.5.1 or later; for AcyMailing, update this extension to version 5.9.6 or later; for JS Jobs, update this extension to version 1.2.1. Paladion also said that security operations centers could identify such vulnerabilities in other extensions by checking for malicious user input such as macro injection or link injection (as for AcySMS, AcyMailing) or JavaScript injection (as for JS Jobs).